The term “cyber security” sounds so obscure and ominous, the vast majority of people just nod and switch off their brains. The same people then get surprised when hackers hijack their Instagram, steal money from their bank account, or leak their private conversations. The good news is that basic IT diligence protects you from 99% of cyber-attacks and does not require you to understand geeky tech talk. The even better news is that the biggest IT threat to you is you.
Think before you post
As the old Chinese proverb goes, the faintest ink is more powerful than the strongest memory. You can burn paper and crush CDs, but can’t erase the ink-ternet. You may well decide to mark your Facebook photos as only viewable by your friends, but you never know when and where they repost them publicly. Not only that, the social media giant can reuse your content without being sued and, according to The Telegraph, even transfer or sub-license those to someone else. Don’t be so shocked. If you have a Facebook account, you agreed to this in its terms of service by clicking on the “Sign up” button.
Yes, Facebook can basically use all the photos you upload there how it sees fit. That’s why it assures the usage is “subject to your privacy and application settings,” but, then again, the company reserves the right to amend the terms at any time. If you want to see the truckload of data Facebook keeps about you, open their website and go to Settings/Your Facebook Information/Download your information. It’s a somewhat scary dozens-of-gigabytes reality check.
Despite their best efforts and regulation, such as GDPR in the EU, all online platforms can expose your personal data. Examples include the Facebook-Cambridge Analytica scandal in 2018, the major Google+ security bug in the same year, or, to give you a local example, the popular dating site Libimseti.cz data leakage in 2008 where more than 1,100 girls saw their intimate password-protected pictures spreading over the Internet like a bad rash.
The Wenceslas Square Analogy
Clearly, your online life is not fully in your hands and no amount of status updates with extensive copy-pasted declarations on your privacy rights protection will change that. Last Week Tonight’s host John Oliver said it best: “Unfortunately, you might as well be posting this (a) picture of a sloth revealing a woman’s cleavage because it would grant you literally the same legal rights.”
While this all might seem a bit disheartening, don’t give up and set everything to publicly visible because now you think your privacy settings don’t matter. They actually do help a lot. Keeping your Facebook posts only to your friends gives you an initial level of protection and there are very useful features, such as timeline and tagging settings where you select the option that everyone needs your approval before tagging you on a photo. As for Google, doing the quick Security and Privacy Checkups in your account settings comes in handy as well.
My rule of thumb is to imagine the Internet as Wenceslas Square. Will I announce to everyone what I just had for breakfast or share a photo of me looking drunk from last night’s party? What about a stylish picture where you can see someone’s car number plate or a credit card number? Thinking of everything you share online as public, no matter your privacy settings, might save you some unwanted surprises and explanations in the future.
We’ve briefly run through how you can best protect yourself from yourself. Now it’s time to defend ourselves against hackers and scammers. The first line of defence is password management. There are articles galore with various suggestions on this subject. The more services you use, the more passwords you should have, but trying to remember all of them resembles playing Pexeso on “hell” difficulty level. Fortunately, there is something called a password manager to remember them for you.
The first go-to options, Chrome Password Manager and iCloud Keychain, run into two problems. First, you don’t want to have all your eggs in one basket, and second, they are far from being universal. You can also use your Facebook or Google account to log in on many websites. Here, you still face the egg-basket and universality issues, plus you need to evaluate the websites’ demands upon logging in. Do some of them really need access to your Facebook friend list, interests, and birthday?
That’s why 1Password, Dashlane, LastPass, or their hardware alternatives are much better choices. You give them a password and they remember it for you, while offering superb protection from hackers. Even in the very improbable case of defeat, they usually have some tricks up their sleeves.
In 2015, hackers successfully broke into LastPass servers. Although they breached its security, they were unable to steal any information. That’s because LastPass users protect their passwords with one Master Password, which the company stores outside of its servers. This additional layer of protection prevented any harm to users.
Ultrademonically mega cool
To give you the full package, these apps also act as password generators. But if you’re still on the fence or just want to take matters into your own hands, no worries. You don’t need to be a cryptology guru to make up a strong password. Make it more than 12 characters long, mix them up, avoid common substitutions, and don’t use memorable keypaths. Easy, right?
For instance, “mousefootballsorrylunch” is a great beginning. Due to its length and random word order, it is hard to crack and easy to remember. Just picture a mouse apologizing it can’t go play football with you because it is having lunch. See, you have already remembered it.
Since it has four random common words, it’s much harder to crack than, for example, “8Kslav!aprah&” which is relatively short and uses common substitution. Although it looks counterintuitive, cybersecurity mathematics add up and you would be surprised how much safer the first option is. Now up the effort with capitalisation and some symbols and numbers, and you have the ultrademonically mega cool password “moUse^foOtball3soRry^luNch”.
You are understandably happy with your new password right until you realise how many online accounts you have. Then you read that security experts from a certain online company advise you to change it every month. When you have 30 online accounts, it means making up 360 unique and strong passwords every year. That’s creativity and memory overload, but that’s not the only problem here.
Change = bad?
First of all, hackers don’t wait for a month. If they gain access to your account, they’ll probably use it right away to cause damage. They also don’t hold on to it to snoop on you because it is not very profitable and nowadays hackers are mostly after profit. On top of that, changing your passwords regularly might actually lower your security because you are likely to start using weaker passwords and reusing them across multiple accounts.
Think about the danger of someone hacking your amazingbaking.com account where you only discuss recipes. You would, of course, change your password immediately after you found out the database had been stolen, but other than that, there’s not much sense in changing a password regularly on this site. If you’re not sure, you can check if your accounts have been compromised with various tools, such as Have I Been Pwned?, DeHashed, or Google Password Checkup.
Internet banking, e-mail or social media are a different story. Looking at the sensitivity of the data, password changes every 90 days makes more sense. But even the best of passwords can’t fully protect you.
I like to tell the story of my friend whose Instagram account was hijacked about three years ago. Years of photos lost, but no other harm done. She had to create a new one, which got hijacked after a few months. Because the third time’s the charm, she gave it one last try, and no one has hacked her account since. Secret? Two-factor authentication (2FA).
Here, Phishy, Phishy
2FA means you have to confirm the login with biometrics, such as a fingerprint or face scan, a one-time code sent to your phone number via text message, or an external security token. It is a bit of a pain, but improves your security exponentially.
As you may have already guessed, even this technology is not 100% hacker-proof. However, if you’re not a governmental organisation under a cyber-attack from the Chinese group APT20, chances are no one is going to hack your accounts in the foreseeable future if you use 2FA. That’s where social engineering, namely phishing, comes in.
Phishing is one of the most prevalent forms of cyber-attack. Instead of busting into your account with brute force, the attacker sends you an email or a text message appearing to be from your bank, an e-shop, a social media site, or an internet service provider and tries to trick you into providing your personal information.
It’s human nature to want the most value for as little effort as possible and I know that having your guard up all the time can be exhausting. But you only have yourself to blame if you clicked on the verification link in the email from firstname.lastname@example.org and entered your username and password into Facebook.
A bit of critical thinking goes a long way here. Is the sender’s email address trustworthy? Does the email contain typos or try to frighten you by claiming your account is under threat of being disabled unless you re-confirm your details? Does it use a generic greeting, such as “Dear customer”? Remember, it all boils down to your personal information. If the sender requests it, it is probably a phishing attempt.
Outdated systems and VPNs
What also makes a hacker’s life much easier are outdated systems. If you read the article on smart homes in our previous edition, you’ll know how important it is to change your router password and install firmware updates. Some updates contain crucial security loophole fixes and shouldn’t be taken lightly. Checking that your antivirus is up to date is an excellent place to start.
Like it or not, even Windows 7 and Android 7 are no longer supported. As time goes by, no software updates result in a gradually less secure operating system, which is more open to new types of viruses and cyber-attacks. It took me years to leave Windows XP behind and now I have to part with a long-time friend in Windows 7. Life is indeed cruel. But kudos to the Microsoft engineers who added a feature in Windows 10 that makes it look like 7 in order to make the transition easier for us lovers of the older and smoother design.
The last piece in our online security jigsaw is a virtual private network (VPN). This keeps you safe in the vast e-seas of the Internet, especially when using public WiFi (which you really shouldn’t do unless super necessary). Not only does it encrypt your browsing data, it also masks your location, which repels most potential intruders. VPN does not make you anonymous on the Internet though, so don’t think about acting all tough online without consequences.
If you decide to install a VPN, keep in mind that many free VPNs might collect and sell your data to third parties. After all, you get what you pay for. My personal favourite is VyprVPN with its strict no-logging feature and Chameleon protocol, but ExpressVPN, Surfshark, or TunnelBear will serve you well too.
One favour to ask
Before you start installing 2FA apps, checking for updates, and exploring whether your passwords have been pwned, I have a favour to ask. Keeping yourself safe and secure online is sensible, but being considerate of the privacy of others is equally important. So, we are getting back to posting pictures online.
Although Google Street View blurs car number plates, try typing yours in Google Image Search. Since Google’s AI can recognise numbers and letters in a picture, if anyone has ever taken a picture where your number plate is clearly visible, chances are it will pop up as the top result in Image Search. While this is the perfect way of finding “stalkers,” it reminds us to be mindful when posting pictures with potentially sensitive information.
Number plates might not be such a big deal, but babies are – pictures of them have flooded social media. The urge to share one’s pride and excitement is perfectly understandable, but there is a good reason why some pictures should be printed instead and remain in private family photo albums to amuse visiting relatives. Imagine what your tiny ball of cuteness will say when they turn 15 and discover their baby photos online. Think before you post and think twice before you post pictures of your children. Their future selves will thank you.