Embed Size (px)
Citation preview
Just because you’re paranoid doesn’t mean they aren’t after you
5 steps to improve your personal cyber resilience
About the author
“Just because you’re paranoid doesn’t mean they aren’t after you.”1
Paul Vlissidis, Technical Director NCC Group, Cyber Lead on Channel 4 Hunted
NCC Group’s Paul Vlissidis has spent several years ethically hacking hundreds of people. Most recently on the Channel 4 TV show Hunted and historically numerous journalists.
It has become very clear that most people don’t take even the most basic precautions with their personal cyber security. This guide isn’t for those people, and they would be better starting at https://www.cyberaware.gov.uk/.
This guide is aimed at people who worry about their personal cyber security and probably already take some precautions but aren’t sure ‘how much security is enough?’ It is also aimed at companies who may be exposed to attack via employees.
The steps in this guide may seem too lax for some. Imperfect security is a lot better than no security at all.
This guide provides links to relevant help and support to allow you to make changes immediately. Apologies in advance if some of the links no longer work – a quick google search will redirect you if that happens. Https links are used where possible, warnings are provided where this isn’t the case.
Any products used are examples, these should not be seen as an endorsement or recommendation. These are based on blogs, website reviews and personal recommendations.
There are five areas you need to address to significantly improve your personal cyber resilience to make you less prone to attack, and be able to detect and recover from an incident.
1. Reduce your digital footprint
2. Get control of your account logins
3. Secure your devices
4. Monitor breaches and account access
5. Be careful using free stuff
Smart home technology and the Internet of Things is covered in the Further Reading section at the end for a useful link.
CONTENTS
1. A Process for determining your footprint
2. Social media
3. Online Forums
4. Credit Card
5. Browsing
1. Reduce your digital footprint
You shouldn’t ignore the
information you leave behind
The data you leave behind after going online
Most of us are aware that we have a digital footprint and that it is hard to reduce – it’s more of a tattoo than a footprint…but it’s easier than you think.
This is the stuff you enter every day but can lead hackers and stalkers to your online front door and possibly inside your online life2.
Here is a simple process to use when determining your current public footprint. This guide focuses on what is publically visible to an attacker as this is probably the highest threat scenario, but you should be aware, that a determined attacker/stalker will take more time and trouble than a simple web search and may join forums they know you use (or fake friend you) just to see information that won’t appear in basic public searches.
1. A process for determining your footprint
Google the following: your name, mobile
number(s), email addresses
Anything you aren’t happy
to be out there?
STARTOn a laptop log out of all
your accounts (google, FB, Twitter, etc)
Open a privacy window
(incognito in Chrome) in your
browser
Review the results
Did you post it?
Do your best to mitigate
Delete it or change the
privacy settings
YES
YES
NO
ENDNO
2. Social mediaThe changes proposed here will not deplete your user experience but will make using these platforms much safer.
Facebook Use the privacy features to:
1. Reset all old posts to ‘friends only’.
2. I t is advised to set this setting to ‘No’ ‘Do you want search engines outside of Facebook to link to your profile?’ .
3. Change the setting ‘Who can look you up using the phone number you provided?’ to ‘friends’ which is the most private setting
(https://www.wired.com/story/how-to-lock-down-facebook-privacy-settings/)
You can delete old posts but you will need to do this individually as there is not a delete in bulk option. (https://www.facebook.com/help/236898969688346).
There are some 3rd party tools and scripts offering bulk deletion, be wary of free stuff (more on this later). Bear in mind that if someone hacks a friend’s account they will see everything you have shared (including messages), so if you have shared anything very sensitive you might want to delete those private conversations, however you can’t delete individual messages.
Facebook allows you to dump all your posts and messages into an archive (https://www.facebook.com/help/302796099745838).
This might be useful in itself as an archive but also makes searching for specific data easier as you can use a tool such as agent ransack (https://www.mythicsoft.com/agentransack/) or your local desktop search tool of choice.
It’s also worth checking through your list of friends and perhaps move some to the ‘restricted’ list so they can’t see your posts in future unless you tag them. (https://www.facebook.com/help/community/question/?id=10201771835318465)
Lastly, make sure all future posts have a suitable limited audience. Just remember that when you set an audience for a specific post it keeps that setting unless you change it for future posts. Useful to know if you do post something that is wider than your usual audience to set it back to your preferred privacy level.
By default Instagram is open to anyone so check your privacy settings (https://heresthethingblog.com/2015/04/28/7-privacy-tips-instagram/). Then check pictures that give away personal data like pets names, sports teams, birthdays, vehicles, favourite bands – essentially anything that might be used to phish you or that might be in a security question that could allow a hacker to reset your password. More on this later. (https://help.instagram.com/997924900322403)
Historical tweets can haunt your personal life so you might want to delete the lot (https://lifehacker.com/how-to-delete-your-old-tweets-and-favs-before-your-enem-1821062277) but individual tweets can also be deleted if they contain risky information (at your discretion) (https://help.twitter.com/en/using-twitter/delete-tweets) . Again you can download your archive before you delete anything for local searching (https://help.twitter.com/en/managing-your-account/how-to-download-your-twitter-archive). Its worth noting that deleting tweets from your feed will delete retweets but not tweets with comments that copy the original tweet so it may still be out there in some form.
Strava
Strava, the running and cycling app, has been subject to a data leak in the past as a result of public posts. (http://www.bbc.co.uk/news/technology-42853072) If you post your runs and rides then be aware that the default privacy setting is public. Strava have posted a useful blog to help you lock things down (https://blog.strava.com/privacy-14288/)
It’s unlikely you have used LinkedIn to post vast quantities of risky personal information but two things that can be useful to an attacker are your profile and your network visibility. LinkedIn offers help to lock both of these down and tools to help you check they look right. (https://www.linkedin.com/help/linkedin/suggested/66/managing-your-account-and-privacy-settings-overview?lang=en)
Google.
Your Google account is crucial to a large part of your digital footprint. If you search while logged in to Google your search history will be saved online, and in your browser, by default. Location data is also saved. All of these settings can be turned off and old data deleted if this concerns you. (https://myaccount.google.com/privacy) It’s also advisable to remove any devices that you no longer need access to and any apps you no longer want to grant permission to (https://www.howtogeek.com/279384/how-to-secure-your-google-account/)
3. Online forumsMany people join online forums and post freely. Be aware that in most cases these posts will be either public or at least visible to all other forum members. If you believe your accounts (and therefore your posts) are anonymous then check that your profile name, avatar and any other ‘about’ data doesn’t reveal who you are. Many people pick the same name for all their forums and it can be easy to collate these and work out basic information – essentially threads that can be woven into a more revealing pattern. The more posts people make the more data there is to analyse and any one post containing, say, an email address can de-anonymise everything.
4. Credit card dataWhat sites have you saved details on? If the number is large it might be time to get a new card…..report the old one damaged, get a new one with a new expiry and CVV and all those old cards are less of a risk.
Don’t save your card details on websites where ever possible. If a site gets breached you won’t then be a victim. Some sites insist on storing a valid card number (e.g. Amazon) so you might not be able to do this across the board. It’s event more advisable where security may not be a high priority or they may lack security skills, you should be able to make a quick judgement here. Using PayPal reduces the risk a little further. Another good idea is to use prepaid cards for online purchases. Worst case enter fresh card details every time you buy (and uncheck the ‘save’ box). The password manager discussed later does support storing and populating card details semi-automatically so some of the typing is reduced. All of this is harder where apps are concerned. If you do a lot of purchases using apps its often the case that card details have to be stored by the provider. There’s not much you can do here in truth.
5. BrowsingEveryone has their personal favourite browser and usually are reluctant to change. After email you are most likely to pick up malwares through browsing and downloading. Browsers are a key target of hackers3 – especially banking malware so the most important thing is to keep your browser up to date at all times. All browsers can have their security settings tightened to make your browsing a bit safer but browsers are where the biggest trade-offs come between user experience and security. Many of the more secure settings will deplete your user experience somewhat (e.g. disabling Java or Flash). You can find a quick guide to browser security settings here (https://heimdalsecurity.com/blog/ultimate-guide-secure-online-browsing/). Using an ad blocker is a painless initial step and very relevant at the time of writing4.
Lastly in this section you shouldn’t ignore the information you keep behind your logins. You should periodically review older messages and files (say older than 1 year) to see if they ought to be retained. Very sensitive files kept online should probably be considered for additional protection or taken offline.
2. Get control of your log-ins
A typical internet user
has more that 100
separate online accounts
CONTENTS
1. Password managers
2. 2-factor authentication
3. Security questions
4. Unique emails
Make logging in safer without reducing user experience
1. Password managersThe internet was used daily or almost daily by 82% of adults (41.8 million) in Great Britain in 2016, compared with 78% (39.3 million) in 2015 and 35% (16.2 million) in 2006. A typical internet user has more than 100 separate online accounts. The study estimated that this number would almost double by 20205.
Sharing passwords means you are wide open to full identity theft. It’s almost the worst thing you can do online from a security perspective. Every time a website is hacked and login details are garnered, the hackers try these out on a range of the more popular sites.
The only practical solution is to use a password manager to keep all your passwords secure. There are many options now6
To those that are thinking “but having all my passwords in one place is risky” please refer to the following article https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/.
You will need one very strong password to protect your password manager. We recommend a passphrase so three, or four random words and a digit or 2. If you are really worried about forgetting this then you might want to try picking a place that means something unique to you. But not your home or work address and use the website what3words.com to see what three words equate to that place. You can even use a ‘private’ browser session for this to be more secure.
2. 2-factor authentication Having a unique password for every website isn’t enough by itself. You could still fall for a phishing attack and give away your login details to a site.
For important accounts like email, the consequences could be serious. This is why you should turn on ‘2-factor’ authentication whenever it’s offered7. This hooks your account to a device, usually your mobile phone.
Each time you login from somewhere new you get a message with a code to the phone, or better, you generate a code via an app, such as google authenticator or authy, and use this alongside your password to login.
This prevents any hackers from accessing your account without access to your phone, even if they have the username and password. It is still possible to bypass this but it is quite a bit harder. Now that you are relying on your mobile phone for much of your security, make sure your mobile phone provider account is secure, even if it’s not something you use very much. You will also need to make sure the handset is secure – more on this shortly. At the very least you should ensure you use 2FA on your password manager and your email.
3. Security questions
In the modern connected world where we all have such large digital footprints this method can be fairly inadequate. You should therefore make sure any security questions for resetting account passwords are not trivial to guess. Questions such as your favourite football team, your pet’s name or your first school are fairly easy for stalkers to find on your tweets, posts or pictures. Our advice would be to make questions unique to you, or if the set of questions is restricted, use a codeword as your answer. Be aware that many breaches may give away security questions and answers as well as passwords. If you are using a password manager you can store random security questions in the notes.
4. Unique emails If you want to take security to the next level, as well as having a unique password for every website, why not have a unique email also? That way any single set of credentials will be totally useless on any other site.
This is a bit more technical but is easy to do. Buy yourself a domain name, it doesn’t really matter what it is so it needn’t cost more than a few dollars per annum. It’s also worth getting the privacy package from your domain provider, that means your name and address aren’t plastered all over the Internet in whois listings. Then make sure all emails to that domain are forwarded to your preferred email address. Now you can register for new accounts with a unique email and password for every site. It has the added benefit of being able to spot where someone got your email address if you get SPAM or phished using one of these. You will need to make sure you renew the domain name annually though.
NB: If you are a gmail user you can do this without having to buy a domain. Gmail ignores everything after a ‘+’ in an email address so you can have [email protected] and it will correctly send to [email protected]. How to guide here (https://fieldguide.gizmodo.com/how-to-use-the-infinite-number-of-email-addresses-gmail-1609458192).
@
???
3. Secure your devices CONTENTS
1. Mobile phones
2. Software updates
3. Laptops
Making sure your hardware does not act as a gateway
On average we touch
our phones over 2,600
times a day
1. Mobile phones Mobile phones are an essential part of our connected lives and the longer we have had them the more dependent we have become. This is illustrated by a 2017 survey which found that on average we touch our phone over 2600 times per day8.
Inevitably phones are going to hold huge quantities of important personal and financial information or the means to access it. The good news is that they are well suited to doing this provided we configure them properly. Unless you have a mobile phone that predates 2014, encryption will be enabled by default, but it’s only as good as the PIN you set.
The most important thing to do is ensure you have a PIN for the phone. Ideally this should be 6 digits, or a better one would be a longer passcode with letters, Four generally isn’t enough, but is still a lot better than no PIN at all. This means that should the device be stolen or lost its contents are effectively inaccessible. If the FBI struggles to break the encryption9 you can be confident the average phone thief can’t, at least not before you can issue the ‘remote wipe’ command.
Most phones these days have biometric security and this saves you having to enter your PIN every time. For most practical purposes this security technology is robust and can be relied upon but is not necessarily more secure than a good passcode (https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/january/ncc-groups-trends-of-2018/).
There are numerous guides on how to best secure your mobile phone and many are device-specific. However, it is advised that as well as the PIN you also take time to disable location services on any apps where you don’t want it.
A virtual assistant should not be activated from the lock screen as these can offer an easy way into your data (e.g. “hey Siri show me my notes”). If you are likely to be in a very hostile environment, it’s best to turn your phone off completely.
2. Software updatesAll software gets less secure as it ages. This ‘security debt’ builds because the longer software is in the field the more vulnerabilities hackers and researchers identify. This is why most software updates are issued, for security patches to be implemented. Therefore, you should take the time to regularly update your devices. (#techfree15) https://www.cyberaware.gov.uk/blog/how-taking-techfree15-can-give-you-healthy-mind-and-phone )
For phones this should be at least daily, for laptops at least weekly and for all your Internet of Things you should set them to update automatically, as it’s the only practical solution. Lastly you should clean your browsing, message and search histories regularly on your phones, laptops and messaging apps.
Laptops and desktops should be running an up-to-date anti-virus solution. Whilst not the panacea they once were, they will certainly catch or block some malwares.
Options include:
• Windows AV augmented with Malwarebytes (https://www.malwarebytes.com/ )
• To monitor outbound network connections use Glasswire (https://www.glasswire.com/)
• On the Mac Sophos AV is a free option (https://www.macupdate.com/app/mac/17070/sophos-home)
• Little Snitch is a commercial option
• Oversight is a free app to monitor use of your microphone and webcam (https://objective-see.com/products/oversight.html).
3. Laptops Laptops should also have disk encryption enabled if it’s supported (only Windows 10 Pro and above). For Windows laptops this is called Bitlocker (https://support.microsoft.com/en-gb/help/4028713/windows-10-turn-on-device-encryption ) and for Macs this is FileVault (https://support.apple.com/en-gb/HT204837). In both cases make sure you keep a printed copy of the recovery key(s) in a safe place.
Home Wi-Fi should be configured with a strong password that is changed from the default that comes with the box. Having a separate network for guests is also a good idea so you don’t have to hand out your Wi-Fi password.
You also need a robust backup solution to protect your most important data. A minimal backup regime to protect against inadvertent or deliberate deletion or encryption of your precious data is advised:
• Backup all phones both online and offline. Online backups are more beneficial provided your apple/google accounts are properly protected. The benefits gained by near real-time, fire-and-forget backups hugely outweigh the risks.
• Take regular offline backups, weekly if possible. Store them safely on an external hard drive in a drawer. It’s not always great to use a password to store these offline backups. Rely on physical security for this backup.
• Backup laptop data to an external hard drive at least weekly. You can use the built-in (mac and windows) software to do this automatically with an offline backup weekly. This makes you largely immune to ransomware, at least as far as data is concerned.
• Backup/export your password manager vault to an external hard drive for an offline backup. Again put this is a locked drawer. Again no password.
4. Monitor breaches and account access CONTENTS 1. Breach monitoring 2. Login monitoring 3. Credit monitoring
Being aware and responding to a breach in the best way
Securing your email
should be paramount
in your personal cyber
resilience strategy
1. Breach monitoring Even if you follow the advice and have unique passwords for each of your accounts it’s inevitable over time that one or several will be compromised. It’s important to be aware should this happen, so that you can respond.
You should not rely on the account providers (website and platform operators) to let you know when they have been breached. Fortunately, there are some tools you can use to make your life a little easier. Firstly, you should register with Troy Hunt’s https://haveibeenpwned.com/. This site gathers dumps of data breaches from all around the Internet and allows you to check if you are a victim. Furthermore it offers a free alerting service so that if a registered email address is part of any subsequent breach, you will be informed. You can then change the password of the offending account and check for any login activity that might be dubious. You may also need to change security questions and answers if these have alo been compromised (as sometimes this happens).
2. Login monitoring Email is at the heart of everything you do online and holds the keys to all of your other accounts by way of password resets. Every website you register with has an email address for you. Try searching your emails for the word ‘Welcome’ and you will see how easy it would be to identify all your online accounts and begin resetting passwords. Securing your email account(s) should be paramount in your personal cyber resilience strategy. The advice on 2-factor authentication above is especially important for your email (https://www.cyberaware.gov.uk/passwords).
Have a backup or recovery email account that is equally secure on a different provider which is also protected by 2-factor authentication with a strong unique password.
For your most important accounts there are some tools that monitor access in real time and alert you if they see any suspicious activity. Try an app called LogDog, which can keep an eye on your significant social media and email accounts. Sadly it’s not able to check every account, but if you follow the advice above then any single account compromise (with the exception of your email) should at least keep the problem contained. If you believe an account has been compromised you should inform the account provider immediately. Many of the major platforms already offer a service that checks for unusual activity and alerts you. Don’t ignore these alerts.
3. Credit monitoringThis is an essential service in the modern connected world so that any changes to your credit file are alerted to you. If anyone compromises one of your important accounts, such as your utility providers, they may try to use the access to take out a loan or credit agreement in your name. There are free basic services such as Clearscore and Noddle (uk) which let you see your credit report. Some offer regular alerts if anything changes. Paying for identity protection services might be something you also want to consider. It’s a confusing marketplace though so tread carefully.
5. Be careful using free stuff CONTENTS
1. Wi-Fi
2. Apps
3. Email
Using free WiFi or
apps is the equivilent
of finding an open beer
and drinking it
How to be safe when using free WiFi or apps
1. Wi-FiFree Wi-Fi is ubiquitous and, along with charging points, seems to be the resource most commonly sought. Using free Wi-Fi without any other protection is the digital equivalent of finding an open bottle of beer in the street and drinking from it.
When you connect to a network the operator of that network has total power over where to send your device’s network traffic. Even if you use https:// for your web browsing it is still possible for a malicious network operator to do you digital harm. Not all connections from your phone’s apps will necessarily use the strongest encryption. A recent survey of mobile apps from Pradeo (www.pradeo.com ) found that over 1 in 6 apps use uncertified, and therefore unencrypted, connections to servers.
Spoofing a Wi-Fi network is trivial and this combination can be deadly in the hands of a competent hacker so don’t be fooled by the network name. Fortunately there is a solution – use a VPN. This way you are transferring your trust to a provider with whom you have a relationship. Not all VPNs are created equal, however, using a VPN provider is significantly less risky than using some unknown free Wi-Fi provider. There are several reviewed here http://uk.pcmag.com/software/138/guide/the-best-vpn-services-of-2018 (note this is an unencrypted website). The more technically minded and less trusting reader might want to have their own VPN service. Algo is an option for this (https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/ )
2. Apps Free Apps are another area of concern. Many apps are free and perfectly trustworthy and it’s fair to say that the official app stores are relatively vigilant, but far from perfect, at rooting out the bad ones. In any event even the legitimate apps can present security problems10 when used on an untrusted network with 61% of Android applications and 36% of iOS applications sending users’ data to remote servers. Instead, check the app authors, independent third party reviews and feedback ratings before downloading any app, but especially newly added free ones as these represent the highest risk. In any event use a VPN when out and about on Wi-Fi as mentioned earlier.
3. EmailEmail trust is an area that catches many people out. Email is one of the oldest features of the Internet and it hasn’t moved on much from those early days. Email is an unsafe medium in the sense that the providers can view the contents and be easily hacked. Also when you receive an email you cannot be sure that is has come from where it says. So email with care and never trust the contents of a message, especially if it’s financial in nature. Financial Fraud Action have an excellent training tool at https://takefive-stopfraud.org.uk/takethetest/
@
1 Joseph Heller, Catch-22 https://www.cpni.gov.uk/my-digital-footprint
2 https://securelist.com/it-threat-evolution-q3-2017-statistics/83131/
3 https://www.forbes.com/sites/leemathews/2018/01/26/hackers-abuse-google-ad-network-to-spread-malware-that-mines-cryptocurrency/#67ad969c7866
4 https://www.ons.gov.uk/peoplepopulationandcommunity/householdcharacteristics/homeinternetandsocialmediausage/bulletins/internetaccesshouseholdsandindividuals/2016
5 http://uk.pcmag.com/password-managers-products/4296/guide/the-best-password-managers-of-2018 (unencrypted link)
6 Useful resource https://twofactorauth.org/
7 http://uk.businessinsider.com/dscout-research-people-touch-cell-phones-2617-times-a-day-2016-7 (unencrypted link)
8 https://www.theregister.co.uk/2018/01/09/fbi_boss_backdooring_encryption/
9 http://ieeexplore.ieee.org/document/7546508/?reload=true (unencrypted link)
10 Source Pradeo 2018 mobile threat landscape report www.pradeo.com
Summary Endnotes
There are some risks we just have to accept as part of having a connected life. We can’t prevent hackers from getting access to things we do not control but we can improve our resilience by making sure that the digital footprint we leave is small(er), the data that matters to us is preserved and the accounts that hold our most important and personal information are protected and monitored.
Helpful further reading on this topic
https://www.cyberaware.gov.uk/
https://takefive-stopfraud.org.uk/
Detecting Stalkers. https://www.linkedin.com/pulse/protecting-your-digital-self-from-cyber-stalkers-view-vlissidis/?lipi=urn%3Ali%3Apage%3Ad_flagship3_profile_view_base_post_details%3BE7FYo2f7QvW4aCrqUF82NQ%3D%3D
Internet of Things in the Home https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/february/security-of-the-internet-of-things-in-the-home/
Acknowledgements and main sources
Nick Rosener https://medium.com/@nickrosener/ an-in-depth-guide-to-personal-cybersecurity-be98ba47c968
Cara McGoogan http://www.telegraph.co.uk/technology/0/ protect-credit-card-fraud-online/ (note this is an unencrypted website)
Thanks to my fellow Hunted Cyber Team members and NCC Group colleagues Richard Warren and Gav Holt for their input and advice.
www.nccgroup.trust [email protected]
