Security in IT is a very broad field. Applications and infrastructures are built in such a way that this aspect remains inseparable at every stage of the process. Sometimes improving security is the result of the right choice of parameters in the code, and sometimes – a thorough analysis and long preparations. Let’s leave it to specialists how engineers from different IT disciplines design their solutions, but remember that even the best specialists cannot protect us from our own mistakes or errors. We should all take our own security seriously because it also translates into the security of the entire system and then to other users. As users, we have very little power, but we can do very little to do it well. There are a few simple ways that we can implement right now to improve our security. In today’s episode we will list 10 of them
The first way to improve your security is simply to update your applications and systems frequently. This applies to laptops, smartphones and basically any device that offers such a possibility. With almost every update we receive a security patch. Sometimes even a small package of patches can make the difference between someone breaking into our device or not. We can say that software development is in a way a race. The race between the providers of a given service, who constantly look for weaknesses in their code and try to fix them, and the hackers who constantly look for the same weaknesses and try to exploit them. By ignoring updates, we make the hackers’ job easier because we give them more time to find vulnerabilities and find our device with that particular old version of software. This is definitely not the side of the race we want to be on. So I encourage you to update your computers, smartphones, IoT devices frequently, but also to update your routers and basically anything that gives you the ability to do so.
The second way is rather not directly associated with security, but I assure you that it has a lot to do with it. It is about frequent backups of your data. Administrators say that people fall into two groups, those who make backups and those who will make backups. Putting aside the obvious sarcasm in that sentence, you have to give it credit. Most people don’t make backups until they are painfully aware of how important they are. Our laptop may be stolen, our hard drive may get corrupted or even we may delete our important data by mistake. In such scenarios, a backup saves us a lot of work. Moreover, a backup is extremely helpful if we fall victim to some ransomware. This is a kind of malware that encrypts our data with an unknown key and demands a ransom to decrypt it. If we have a backup of our data, we can just completely format our hard drive in such a case, so we will definitely get rid of the virus for free. After reinstalling the system, we will simply recover the data from the backup. Backing up eliminates a great many problems even before they arise.
The third way is to use a password manager. There are probably many bad password habits to list, but my 3 favorites are: making up short and simple passwords, using the same passwords everywhere, and writing passwords on colored sticky notes and taping them to your monitor. A properly used password manager solves all these problems, although I admit that this last example is rather extreme. As an open source advocate, I use the Bitwarden application. It is a manager available for macOS, Windows and Linux, but also for mobile systems in the Apple and Android ecosystem. With such a password manager you only need to remember one password, the master password to open the manager. The master password is also the encryption key for the stored passwords, so it is necessary that it is strong enough.
If this is going to be the only, or one of very few passwords that we have to remember, I recommend making up even a paranoidly long password, say 48 characters. Once we have it, we can use the built-in password generator and use such generated passwords everywhere. We do not have to remember them. Just go to a page, start the registration and Bitwarden will offer to generate and remember a password, whose length and difficulty level we can even specify. Once you agree, it will begin to suggest a user and password for the site. What is important, if we accidentally land on a crafted page which looks identical to the one we registered on, Bitwarden will not suggest the password. Of course we will be able to pull it out manually, but it will be a very clear sign that something is probably wrong and we should think about whether we are being tricked. So I recommend the password manager right away because it will solve many problems, including some not so obvious ones.
The fourth way to improve security is to use two-factor verification. Every time we log in to some service we should give a password and if the password is correct we should be asked to give an additional one-time password. We can get such password by SMS or write it down from application on a smartphone. However, I do not recommend using SMS because this type of communication is not encrypted. SMS are sent and received as an open text. One-time passwords are usually only valid for 30 seconds, but security is not about making hackers’ work easier. One-time passwords can be generated using various mobile applications. The choice of applications is really large, so I encourage you to browse the app store yourself and choose something that suits you. Just pay attention to the possibility to backup your codes. If our mobile device is lost and we don’t have a copy, we may have a serious problem with logging into our services. However, using one-time passwords gives a very high level of security. A hacker not only has to know our long and complicated password, which is already very difficult, but also has to have physical access to our mobile device. So I encourage you to review all the services you use and run such verification if it is available. Usually the activation process is simple and we are led by the hand.
The fifth way, which is still not very popular nowadays, is to change your DNS. If we are using some popular DNS server, or the one our ISP suggested, we are very likely to be exposed to all the flaws in that system. DNS is basically a phone book of the Internet. One of its tasks is to translate domain names into IP numbers. So if I need to connect to www.m-core.consulting first my computer will ask a known DNS server “what is the IP address assigned to the domain www.m-core.consulting”. The DNS server will answer with the IP number. More about DNS you will find in the second episode of “IT in simple words”. Since devices on the Internet ask DNS servers for IP addresses all the time, because they do not know it themselves, why not block some addresses already at this stage? Let’s say some hacker created a page that looks identical to a page of some service we use. He did it only so that someone would enter such a page fully convinced that it is the correct page and give his login and password. The hacker will receive such warranties and will start using them on the right website to impersonate his victim. This method of phishing for passwords is called phishing. In 2021 alone, about 2.5 million phishing sites were detected. Quite effectively such sites are just blocked at the DNS level. That is, if for some reason my computer starts trying to connect to a phishing site, it will ask DNS for the IP of such a site. If DNS knows, that such website is phishing, instead of answering with server’s IP number it will answer “there is no such website”.
Many popular DNS servers simply respond to virtually any DNS query, even those that will lead you to spoofed sites. If you want to increase your security it is worth to change your DNS to one with a filter for dangerous sites. Of the free solutions, the Cloud Flaire DNS works well, but I personally prefer the paid, albeit very cheap NextDNS solution, because it also cuts off advertising networks. That is, if for any reason my computer wants to do something with some ad network, such as download an ad, or I accidentally access a phishing site, NextDNS will treat them as the same evil and respond that such a site does not exist. There are never any ads on my web browser precisely because of NextDNS. So I encourage you to change your DNS.
Another method is becoming more and more popular. It is about disk encryption. If our operating system supports some native encryption technology, it is worth to use it. In the worst case it will force us to enter only one additional password. However, if this password is strong enough and someone simply steals our drive, the effort to decrypt such a drive will be so high that in practice it will be completely uneconomical. Breaking passwords is always a matter of time. If someone breaks a password you never know how long it will take. Maybe another 5 minutes or maybe a quadrillion years. By coming up with a strong password, we make the process take so long that such a hacker will only waste time and money on electricity bills because the process is quite energy intensive. MacOS users can look at the native FileVault technology, while Windows users can look at BitLocker technology to encrypt their drive. If for some reason the technology isn’t available or you just don’t want to use it, you might want to look at VeraCrypt technology, which works on every platform and is available for free. Note that if the login to our user on our laptop requires a password, it does not mean that the drive is encrypted. However, if the login password is also the key to decrypt our drive, then we can consider our data much more secure.
The seventh method, which unfortunately may already involve the difficulty of convincing your friends to use it, is to use any technology that provides end-to-end encryption. As we remember from the previous post on the blog, end-to-end encryption is a type of encryption where only the sender and recipient of the message have access to the encryption key, not the service provider. Many people today already use a lot of Internet services on a daily basis. It can be said that our data, even the private ones are scattered all over the world and it is impossible to keep track of them all. Our data can physically reside on dozens of servers around the world. How do we know how secure the administrators of these servers are? How do we know if one of these servers has been hacked? In such a situation would we be informed about it? And even if we were informed, what if the data is already out of our control? We do not know the answers to many questions. For this reason, if you do need to send a file, consider using a secure instant messaging service such as Signal or Session. Emails can be sent encrypted with S/MIME or OpenPGP technology. If someone somewhere on the edge of the world breaks into a server that happens to be storing our data, they will only see a string of characters and some metadata. So it is worth to make it possible for him to read at least that. There are really many technologies and they concern not only the issues I mentioned above. I encourage you to browse PrivacyTools.io website yourself. You can find there a lot of privacy friendly technologies. Many of them are technologies implementing end to end encryption as a standard. Many of them are also free.
The eighth method is about organizing your apps. Each of us, when we buy a new laptop with an operating system installed or a new smartphone, will see that there are also several applications installed on it. When we run our devices this way, we often install various apps that we use for a while but then stop, or use once every six months. It is a good practice to routinely review your apps and delete any that you are not using. Applications can have millions of lines of code that we often have no insight into. And even if we did have that insight, there won’t be enough time to study it all. Always at some point we will have to trust the developers of a given application that the product of the company for which they work was at least satisfactorily tested for security. However, we can never be sure. Malware that can infect us can exploit vulnerabilities in our installed applications. For this reason, if we do not use an application, it is advisable to remove it to minimize the threat.
The penultimate, or ninth, method also involves regular auditing of your applications. Once we have removed the unused applications, we should also review the other applications for their accesses. The rule mainly applies to smartphones. If any photo management app needs access to the Internet, photo directory and camera, it is safe to say that it should have such permissions. However, if the same application asks for access to the microphone, and does not have the functionality of recording video, we should seriously consider disconnecting such access. If any application has access to resources that we don’t think we need, or that we don’t understand, it’s a good idea to disconnect it right away. If it is really needed in the future, it can always be restored, but before we understand why, for example, access to location services for an application sending e-mail, I suggest to block such access. This rule comes from the fact that quite often as users we accept the rules of the application without reading them. Probably, if we read it, we would find out that, for example, the application is tracking us in such a way, or simply adding to our files the appropriate metadata. Due to the fact that we almost never have time to fully and thoroughly analyze the operation of an application, the safest thing to do is simply to limit trust. Remember that the metadata that the provider of a particular service obtains from us for tracking and profiling can also be stolen at some point even after years of storage on the provider’s servers. Do all providers encrypt their stored data? The question is unfortunately rhetorical.
The last method is no longer related to any technology. It concerns only our attitude. The rule is ‘keep calm’. Nowadays we are flooded with various phishing attempts. And it is we receive an email supposedly from our bank, in which the alleged administrator asks us for our password, because otherwise it will come to blocking our account. Or we receive an email that some service asks us to change our password immediately for any reason. There are many phishing attempts today. The only thing we can do to protect ourselves is to stay calm. Administrators never ask for passwords because they can overwrite them at any time, giving themselves any access to our data. Why would they ask for our passwords? Phishing attempts almost always have an element of time pressure. If we receive a message that if we don’t do something within 12 hours, something bad will happen, someone who sent us that message is just counting on us to let them scare us. Trusting that when we click on the link we actually do something innocent, we actually visit a website that gives our password to the hacker or download malware. I therefore urge you to treat every e-mail and SMS you receive with great caution. In such moments it is worth asking yourself “Isn’t the main purpose of this message to make me lose my guard?”. Nowadays, phishing for passwords relies more on social psychology and unfortunately no technical protection will help. So all that remains is our own caution and vigilance.
