Note: I technically missed this post, but it’s still good.
October is National Cyber-security Awareness Month. While many people ignore it as something that they don’t need to learn about, even basic awareness can help you be massively more secure than the next person. Generally, low level attackers are just looking to get access to the easiest to targets, because anything more than that requires exponentially more investment from their already razor thin margins.
Love them, or more accurately: Hate them, they’re here to stay. There are methods to make them less of a pain and more secure at the same time. Many tools to secure passwords and implement second factor authentication are already freely available and easy to implement.
Use a Password Manager
By my current count, I have somewhere in the neighborhood of 400 accounts on various sites, services and tools. Some of these are defunct, some of them might still have my account information in them. The good news is, because I use a password manager, each one is unique. That means if the security for that site isn’t all that great and they have a data breach, my password can’t be used to exploit any other sites.
Both Android and Apple have built-in password managers in the form of iCloud Keychain and Google Passwords. Both can help you not only generate a strong password, but can store it securely online and sync it to other devices. They also offer features like auto-fill on sites and apps when you visit them. These features are usually enabled by default, so you actually have to ignore them to not use them.
If you’re not jazzed by the default tools, or want something more robust for secret keeping, Bitwarden is a fantastic tool for storing your passwords, second-factor tokens, notes, identities, licenses and more that can sync with pretty much any device that has access to the Internet. The software is open-source, and can be self-hosted, but their own hosting costs only $10 a year which is an amazing deal. Other options, like 1Password are also good choices due to their multi-platform efforts, more robust syncing and rigorous approach to security.
In short: Don’t keep reusing that password. Get a password manager and stop reusing your passwords.
When dealing with passwords, you’re putting a lot behind a single code. Why not add an additional layer of security? A 2FA or second-factor is usually a one-time code either text’d to you, emailed to you in the form of a special login link or in most cases, a code that your computer or phone generates in response to a key that the site generates for you. To set this up, check your account settings and see if there is an option. Many sites are beginning to offer this feature as it provides an additional hurdle for attackers to breach.
Setting it up is usually easy too. Generally you scan a QR code in your password manager, or setup a phone number to send the codes to. Once done, you’ll login and then be asked to type in an additional code. Most good password managers will already have queued up this code in your clipboard, so often you just have to paste the code. Nice!
Yup, that old chestnut. However, you don’t have an excuse. Storage (especially online storage) so cheap in the current economy that often you’re paying fractional cents (USD) for gigabytes of storage. Combine that with some really excellent tools that all but automate the process for you, and backups are easier to get going than password management.
Don’t trust online storage, or you’re just strapped for cash? Check with a friend. You can encrypt data on a spare drive with VeraCrypt or similar and ask him to keep it in a cabinet at home. Better yet, do that with a couple of friends and now you have multiple offsite backups!
Seriously. Much of the botnet, malware and ransomware problems can be fixed with having a good backup system to restore from. Keeping important stuff encrypted and safe is also free and easy to do with little to no intervention on your behalf and storing data is cheaper than ever.
Scams, Phishing and Spam
You are the weakest link in your security. You’re vulnerable to persuasion and are the keeper of all the keys. Often attackers try to exploit this fact and trick you into providing secrets or data directly. These attacks will usually come through email, as it’s not time sensitive, but occasionally they’ll come through instant messaging or text services. No matter their origin, you should watch out for some tell tale signs:
- Asking for information they should already have.
Is the other end asking you for information they should already have, like a password, or personal information?
- Misspellings and grammatical errors.
I never understood this one, but I’m glad it’s here. Often attackers are not English speaking, or just have poor language skills, making their messages difficult to read or use mannerisms that don’t fit.
- Weird looking links.
Usually attackers will try to hide links by using HTML to mask them to look legitimate. One tactic you can use is to hover your mouse over the link, most tools will show you a tooltip of where the link actually points to. If any part of it looks off, don’t click on it.
- When in doubt? Call them.
Lots of attackers try to masquerade as official looking email. If you’re not expecting anything from them, or you’re suspicious, just call or reach out in another manner. Generally, if this information is needed, a person will be able to confirm or deny it.
I can’t believe I actually have to address this in 2019. So many devices now try and force updates, and so many people try and disable or ignore them. Honestly, this is the easiest issue to remedy. Keep your stuff up-to-date. If you hate the problematic time that updates present themselves, try and configure it to run at a time when you’re not going to be active, like overnight. iOS, as an example, will run updates and backups overnight so long as you’re connected to wifi and plugged into a power source. Something people do automatically before going to bed.