Menu
Find the internet security level that's right for your needs |
The only way to ensure you'll never be the victim of a malicious hacker is to stay off the internet. Since that's not a viable option for most of us, the goal becomes finding the level of protection that matches our level of risk.
There's a baseline of security precautions that everyone using a computer or internet-connected device needs to implement. These three features are active by default on most computers and smart phones of recent vintage. All you need to do is respond to system prompts in a timely manner: 1. Keep your software up-to-date. When a program alerts you that an update is available, install it at your next convenient opportunity. 2. Use antivirus software that is always running (and that automatically updates). Your anti-malware program should automatically scan downloaded files before they reach your machine or device. 3. Use a firewall, which nearly all computers provide by default. The free Lookout security program offers a firewall function for iOS and Android devices. Please, not the 'P' word again The person most responsible for the standard password rules of changing regularly and using various nonsense characters has fessed up: Those rules are worse than useless. In an August 8, 2017, post on the Telegraph (via Yahoo Tech), James Titcomb reports that Bill Burr, the U.S. government worker who first conceived of the familiar password "rules" back in 2003, now admits the result was less security, and higher costs. Requiring use of symbols, numbers, and upper case resulted in people reusing the same passwords, perhaps with slight changes. It also led to people writing down their passwords. In addition, putting expiration dates on passwords caused no end of administrative headaches for companies, and the policy did nothing to improve security. Burr says he regrets suggesting these policies, which were "too complicated" and "barking up the wrong tree." The password experts now recommend using long phrases comprised of a word string that's easy to remember, such as "puffineatingbanana," which would take millions of years to crack, according to Titcomb. The new #1 rule for passwords is, the longer the password, the harder it is to crack. Quick tip: A safe way to 'write down' your passwords Suppose you have an innocent-looking Word doc or text file, such as "Grandma's banana-nut bread recipe," sitting in the Documents folder on your computer (or even better, cloud storage service). At the end of the document's text, type in your account names and passwords. Select the text you just entered and change the text color to white (or the current document's background color). The text will be invisible until you select it, either by dragging your mouse over the information, or by typing Ctrl-A (or Command-A on a Mac). Two-factor authentication is a bother, but it's worth it If I told you there's a way to nearly eliminate the risk of having one of your internet accounts hacked, would you do it? Even if doing so added five seconds to the sign-in process? Then I'd like to introduce you to two-factor authentication. With 2FA, you have a code sent to your phone or other device via text message. Enter the code in the sign-in window on your PC to access your account. For more than a year I've been using 2FA when signing into my Google and Amazon accounts. I sign into these accounts only a handful of times each week on average, so the inconvenience of retrieving the six-number code from a text on my phone is minor. You can save time by having the code sent to your email inbox, but then you lose the benefit of 2FA: requiring access to a second device to sign into an account. In a June 17, 2017, post on the Verge, Natt garun provides instructions for enabling 2FA on Facebook, Instagram, Apple (iOS and Mac OS), Instagram, Twitter, Google, Microsoft, Amazon, Snapchat, Slack, Dropbox, Paypal, and other services. Separating encryption protection from encryption politics The encryption genie is out of the bottle. End-to-end encryption that is theoretically impossible for governments or anyone else to crack is available to the public. A debate is raging over whether everyday internet denizens need end-to-end encryption. United Kingdom Home Secretary Amber Rudd recently called for a ban on encrypted communications that don't have a "backdoor" that government can use to decrypt them, as the Guardian's Jonathan Haynes writes in an March 27, 2017, article. Facebook, Google, Microsoft, Twitter, and other tech giants are responding to the call for encryption backdoors by promoting the Global Internet Forum to Counter Terrorism (GIFCT), which Rudd and other government officials support. TechCrunch's Natasha Lomas writes in an August 1, 2017, article that Rudd's claims about end-to-end encryption in a July 31, 2017, post on the Telegraph are "knotted with bizarre claims, contradictions, and logical fallacies." Fact #1: Encryption backdoors provide access to bad guys and good guys alike The voice of reason (and science) in the encryption-backdoor debate belongs to Bruce Schneier, who explained in a July 9, 2015, post on his Schneier on Security blog the risks of mandated backdoors. Schneier points out the obvious: If a backdoor exists, criminals will find it and exploit it. Further, you're introducing security vulnerabilities into millions of products and services. You're also faced with the monumental task of monitoring whether governments are using the backdoors in a legal manner. The best argument against built-in backdoors is that they aren't necessary to achieve the government's goal of cracking criminal communications. In a July 25, 2017, post, Scheier links to an essay by Andrew Keane Woods entitled Encryption Substitutes that describes alternative methods for law enforcement to access the data they seek. Messages rarely exist in only one place and one form, for example. They may be encrypted in transit but stored in unencrypted form somewhere that is subject to a search warrant. Woods claims encrypted data is nearly always available in readable form elsewhere. Even if an unencrypted copy of the data being sought can't be found, nearly all data is accompanied by metadata -- which is data about the data -- that offers a great deal of insight about not only the sender and recipient, but also about the nature of the encrypted message/data itself. Privacy International offers a concise overview that explains what metadata is and how it can be used by governments and others to defeat encryption. The article quotes former CIA head Michael Hayden as saying, "We kill people based on metadata." Fact #2: Encryption isn't a security magic bullet (but use it anyway) As Schneier and others point out, encrypting your data and communications is no guarantee that they will be safeguarded from all unauthorized access. The April 28, 2015, Weekly attempted to make the case against encryption, primarily because it offers a false sense of impenetrable security. Still, that post concludes that encryption isn't perfect, but is still a key part of a multifaceted security regimen. (In a similar vein, the November 14, 2014, Weekly described a breach of the Tor anonymizing service -- a.k.a. the Onion Router -- by the FBI and other law enforcement agencies to shut down Silk Road 2.0 and other illegal activities. Despite these and other fallabilities of anonymization, it still plays a vital role in protecting our privacy.) The best thing you can say about encryption is that using the technology has never been easier. The Electronic Frontier Foundation's free HTTPS Everywhere add-on for the Firefox, Chrome, and Opera browsers ensures that you connect automatically to the encrypted version of all the sites you visit, if one is available. (You know you're on an encrypted page if the green lock icon appears in the browser's address bar at the top of the window.) One of the 10 easy encryption tips offered by Quartz Media's Carey Dunne in a January 7, 2017, article is to use the free Tor browser. I've never used Tor because I never felt the need for that level of protection. Tor is also one of the five tools for protecting your internet privacy recommended by CSO's JD Sartain in an August 8, 2017, article. Other products on Sartain's list include the Invisible Internet Project (I2P) privacy network, and two virtual private network (VPN) services: Private Tunnel and NordVPN. One VPN service you should avoid is Hotspot Shield VPN, whose vendor, AnchorFree, is drawing heat from the Center for Democracy & Technology and others for "deceptive and unfair trade practices," according to the Register's Thomas Claburn in an August 7, 2017, article. Along with sharing the private information of its customers with third parties, the company is accused of using JavaScript codes for "advertising and tracking purposes," reportedly including "more than five different third-party tracking libraries." |