Fundamentals of Basic Computing Safety
This essay was written by guest-author Shain Tesla.
This is a brief introductory rant, intended to expose people to the fundamental concepts of basic computing safety. I am not an expert. These are just a few things I picked up working in technical support and briefly pen testing. I hope it helps.
Hacking has become a pretty serious phenomenon. To believe otherwise is naive. Without security precautions it has been dangerous to connect to the internet since the 80s. The threats have only become more elegant and subversive over time. Because of that, I am appalled that it is perfectly normal to know how to use every feature of a smart phone or PC, but not know how to secure it from the the most common and basic risks. This is frankly irresponsible and reckless. Isn’t it odd that today, when humans have the greatest handle and dependency on technology, that such a small segment actually know how to manipulate it?
The very few security measures that have become common knowledge are not only largely ignored, but they only barely make a PC an inconvenient target. Calling the victim a target is likely misleading. The victims are usually not any more of a target than a blade of grass being mowed. Hacking usually isn’t about vetting good targets or revenge. Programmers typically appreciate and dedicate themselves to efficiency.
Some common effective tactics are to scan huge amounts of computers, probing for weaknesses or put malicious code on a website people will visit, and it can be extremely profitable. Hackers are currently obtaining so much credit card information, that it has become difficult to unload them for a reasonable price. The black market market is practically flooded to saturation with it.
Hackers can use one of a few available methods to confuse a user’s web browser into loading a malicious website. Their fraudulent website will likely look exactly the same, and may even pass the browser the right kind of cookie, forward the user’s log in credentials to the real website, and serve up the home page when it has finished its undermining privacy. All the while, you were sharing cat pictures, blissfully unaware.
The victims of this kind of attack literally submit their log in information directly to a hacker. Websites using either an email address for the user name or that at least required an email address in the profile to register are often targeted. It makes their job of getting the most amount of data in a short period of time possible. Often times, users will register for these fake sites with the same password used to log into the email they submitted to register. This saves hackers only a small amount of grief, but it is still much appreciated. Perhaps you increased their efficiency by 30-40%. That is notable.
Once they log into original email, they can search through the mail for confirmation emails for all the website confirmation emails, many of which have passwords in them, and dig through the settings for alternate emails. Then they can take this list of all the user names and emails to Spokeo to get a list of all the places those emails and user names are used to register, as well as a host of other terrifying information. Most people don’t even know the extent of the horrors that dwell in the abyss 100 pages back in their inbox. It is worth deleting it. There are terabyte hard drives if you want to be a pack rat.
This data is fed through through a program that attempts to access popular websites, especially banks. It tries different combinations of usernames, variations, name.lastname, name.birth_year, or thousands other combinations that statistically seem to work the most often. These are paired with variations of all the passwords obtained during the process. There are programs on the internet that specialize in this. They aren’t difficult to obtain.
This may seem like an inordinate amount of effort to put into your account, but most don’t even have to spend any effort actually looking at it. Hackers are first and foremost good at automation. They will have your credit cards, banks accounts, family member’s names, address, cost of your home, people you know, your usual schedule, everyone you’ve hung out with, your favorite food, spots you like to hang out, the names of your children and a host of other information in a list with hundreds of others as an output from a script they threw together over the weekend.
I hope that at this point, you are either already protected against this kind of attack or are at least horrified enough to revisit the idea of security. The first layer of security is keeping good passwords. Each password should be strong, and they should never be reused. We’ve probably all heard that, but most still ignore it. If you that’s you, an inexperienced hacker could get into everything.
What is a strong password? Most IT security training given by employers tell their users that a good password “has to be 8 characters long, have a capital letter, a lowercase, a number and a symbol”. This is how to train users to make passwords that are easy for computers to guess and hard for humans to remember. This practice is completely counter productive. This xkcd comic will make the concept clear for visual learners.
A password’s strength is measured in bits of entropy. The more bits, the longer a computer will take to crack it. Many users start dictionary words with their obligatory capital letter, change out common letters for numbers, and end it with a punctuation mark or other common symbol. This is extremely easy for computers to guess. It is a pattern. Pattern recognition is every computer’s forte, and reproducing passwords that fit the pattern just requires a simple algorithm. Most people’s passwords are designed perfectly for computers to crack.
Even users that use different passwords may make a hackers job simple with something like this.
A computer that is capable of millions of cycles per second will not take long to find the solution by trying every variation of the discovered password. Some of the groups doing this have extremely advanced server farms to dedicate to information mining. Most users couldn’t possibly remember enough varied strong passwords to prevent this. Thankfully, there are tools available that create insanely strong passwords that you never have to look at, let alone remember. Passwords they generate are effectively impossible for a computer or a human to guess.
http://keepass.info/ (Windows, iOS, Linux, FreeBSD, anything that can run mono)
With a tool like this, users can create passwords that are as complicated as each website will allow to maximize entropy, and therefore, the amount of time a computer would take to break it. Here are some sample passwords I created to be similar to most user passwords, contrasted by one made by the program, measured in entropy.
û¢éqWß@²+«(ï0ýäUÆ!²AjøZðid-©¼bûjTDPu³²ÚÑ¥x¥Íj¿¦8¶÷EB>àTÒQaWqËqsM_e^e² TÙõþÌî*e£êÃk[òÁ¬m®w]¢kDx`¢úòõa”+Åüä2>!¯ª²5lY$Lë¿q¬q¥òÚ”Pþû²ûzD}»p2kv×Ìh&#ðö~Ðü§F¡¼öI;µé¼pÇæ%8j±Ñ¦CUÚÓÖþè2Ôôqgkí+ßhªh±L”eP@ààh¤J©o«’c:6º¢êNÆA§^6K°0´=¸´wÜÑS3lÑÒÑ/OoõK§d¡OE}ôyxÅM¬»ÞÐ¯|Eª4Ø.ÙpùMù/|H?«Jx¬Â¼Ç>S¤FvêÃWh I¾×~)QYV¦ì¡mðú<÷¹
Take a moment to compare the last one to ‘password’. People actually use that; it is one of the more common passwords. Breaking these passwords isn’t linear either. 20bit isn’t twice as hard as 10bit, and so forth.
This last example is beyond the standard of military grade encryption. I doubt something like this could be cracked. Some websites will require shorter passwords or for it to not have any quotes or semi-colons, et cetera, but most will let you get away with really long and complicated passwords. I have seem websites that allow up to 300 characters. It is easy to create a password to fit any requirement with the generator.
Even though most people couldn’t remember a password like that after watching it typed out, Keepass still prevents password glancing. The user puts the cursor in the user name box, returns to the password manager, and presses ctrl + v. That is all there is to it. It will put the user name and password in the appropriate box and submit it. With addons, it can even be configured to detect a login page, and automatically paste and submit it.
Good passwords change often. This insures if someone did get access to one account, that they wont be able to continue accessing it. Keepass can be set to remind users to change the passwords at whatever interval they like. Passwords can be set to be changed anywhere from once a day to once a year. The more important the site, the more often the password should change. It is recommended that anyone using a program like this one delete the saved passwords from their browser and never write them down.
With keepass, passwords can only be retrieved if the master password is entered. Long sentences are effective master passwords. They are especially easy to remember, if they are unforgettable movie quotes. “Life is like a box of chocolates. You never know what you are gonna get.” is 270 bits of entropy. Not bad! It is also a great deal easier to remember than some of the much weaker passwords that people commonly use. It also has additional security features for extra paranoid people and password databases may be synced across different systems with services like dropbox.
Access to a single set of login credentials will not have the same kind of detrimental effect. This is especially true, with services that notify you when a new log in occurs. Many of the big sites have this in their settings. It is a good idea to delete accounts from services no longer used, delete registration and all other emails from every account, and use multiple throwaway emails accounts to make it difficult to produce a list of all the services you’ve used. It is important to be aware that many mail services don’t delete emails until the trash is emptied.
Even though this is fairly thorough, generally speaking, there isn’t a such thing as a secure system. Code is written with mistakes in languages, whose structure have mistakes, which is compiled by an imperfect compiler, processed by a flawed processor, and finally transmitted over a long line of fallible software and hardware to be delivered to another machine, which will process what it received in an imperfect way. Bugs are common. One statistic says that there is typically between 15 and 50 errors per 1000 lines of code.
The most common kinds of vulnerabilities occur when an imperfect processor is given a flawed piece of code. In certain circumstances, it may be able to cause the program to operate differently than it was designed. By passing data that is contrary to what is expected, all manner of varying results could occur. Most of the time, this will cause a crash, some kind of error or warning, or just be ignored. Sometimes though, the processor can be confused as to whether what it received was user input or trusted executable code. If an attacker can create this confusion, there is no limit to the damage he can do. This is an example of an exploit.
Exploits can be used to execute untrusted code, set a value the attacker shouldn’t have access to, crash an important process, retrieve the value of a protected variable or cause a specific task the program does, called a sub routine, to act in unstable, unpredictable, or more terrifying: carefully planned ways. There are exploits for vulnerabilities and bugs reported constantly, for nearly every piece of software available. There are many more that are never reported. Some crafty attackers keep their own personal back door; never reporting the gold mine they’ve found.
Here is a wildly dangerous, exploitable vulnerability that was found in flash last year. Don’t worry, this particular issue is fixed, but I promise there are thousands of more exploitable vulnerabilities floating around in code that you run every single day.
There are effective measures to mitigate the some of the risk. A good operating system is an important layer of protection. It is vital to install the updates on any operating system and software installed. The software developers are often made aware of exploits by white hat hackers that find them. This information is typically kept under wraps until there has been a reasonable amount of time to write a fix. When the patch is released, the vulnerability is public knowledge. The longer a system administrator or user procrastinates a security update, the longer all the creep hackers have had to work on an exploit for that vulnerability.
I do not recommend windows, personally. I take issue with some of the architecture design decisions they have made, but that isn’t the main problem. Hackers typically want their malicious code to work on as many machines as possible. Windows has a good majority of the market share, so a hacker that wants to create something that could spread or be deployed on a large scale may target windows machines. They may also find exploits to subvert Norton, because of its popularity. It would be a good idea for them to use one of Facebook’s many vulnerabilities as an entry point. This could be programmed pretty specifically, and it would affect a great deal of machines. While obscurity is not security, it can sometimes help.
Just as an aside, for bonus paranoia, do a quick duckduckgo search of how to remove Windows passwords. I lost mine a few months ago, and I was in my system within 10 minutes. I just had to put a thumb drive in, put some files on it, that I found for free online, reboot and hit enter 5 times. Not hard. Now wonder to yourself how difficult that would be to do remotely, specifically to the administrator account no one ever looks at. Could someone run code without the standard “Do you want this program to make changes to your system?” message ever popping up?
(I didn’t say to Google it because I do not consider Google to be a safe or trustworthy search engine. Duckduckgo is private and faster too.)
Linux has caught up with Windows and iOS in user friendliness, while sacrificing none of its power user control. I recommend giving it a shot, you might just like it and its more secure to boot. Here are a few distros to check out. It is free, and you can boot them up without installing them to get an idea of how they are.
The community support is amazing. If there is a problem, it is likely that thousands of people have had it before you, and someone wrote about the fix. Most fixes are done with copy and paste into a little text box, called a terminal window. When those fixes aren’t readily available, problems can be posted on forums, which are typically replied to by a serious expert within 24 hours. With all the user friendly and diverse options out there, how does Windows control so much of the market share? Try it. Its better and free. You might just like it.
Some people will never give up windows, those users should be running two different types of virus scanners. There is the standard kind, like Norton, Microsoft Security Essentials, or Avast. These detect viruses by looking for a certain signature in possibly malicious code. It is like a mug shot. The criminal has to have been previously caught for the scanner to recognize the threat. They wont catch viruses that haven’t been reported yet. These virus scanners will let in new viruses and the ones that are so dangerous that no one has noticed them creep around in the background. Installing a virus scanner does not absolve risk.
Threatfire excels at detecting this kind of threat. It works by using intelligent behavior analysis to flag known and unknown threats. This is like watching for criminal behavior, instead of looking for their familiar face. It is typically ill advised to run two virus scanners, but Threatfire is an exception to this general rule. It will not conflict.
Another huge issue with windows is that if you are running a 32 bit operating system, you are vulnerable to rootkits. Rootkits are the master ninjas of the shady software underworld. There isn’t a limit to what they can do. They install silently, delete any visible record of their existence, may adapt if you start catching onto them, and they can even do dirty tricks like installing on your computer’s firmware. Hint: that means that they can’t just be deleted; it is likely that no one will be able to track it to its actual source.
From Microsoft, “Rootkits are nearly undetectable and they’re almost impossible to remove”
Make your own!
The ones that install in non-standard locations will still be there after the hard drives are formatted and windows is uninstalled. Some hacker in his basement will still be able to activate your webcam and microphone so he can rub lotion, that he purchases with your credit card, on his chest while he watches your family play Wii sports. All the sweat shop technical support guys in Mumbai wont be able to help you. You can tell if your computer is 64 bit or not using these instructions pushing ctrl + r, then type in “cd C:WindowsSysWOW64“. If it says the directory isn’t found, you are on 32 bit. Upgrade to 64 bit. Seriously.
Everyone has WiFi. Only a few companies make the wireless routers. It is fairly simple for a novice to quickly search online for information on them. In the instruction manual — or online, where the neighbors prefer to get it — there is an IP address for a built in router control website. With that IP address, it is just a simple process of logging in with the admin user name and the admin password.
The name of a WiFi network is called the SSID. Every company has a default for this. When it is left to default, an attacker can determine which one you are using by information that is literally broadcasted out into the air. From there, an attacker can easily find out what the default IP address is, admin password and login password is for the device. Sometimes there will be current vulnerabilities on the model you have, to assist the hacker with more intrusive attacks.
An unconfigured router is a free pass to its network and the precious bandwidth. I personally know several people that openly admit to me that they haven’t payed for internet in years. It is incredibly easy to get into them. In fact, I offered to secure a friend’s hotspot, and I got in without the admin password or the IP address in a fairly short period of time. It is too easy to prevent this to be a victim of it.
Once an attacker successfully logs in, they can open ports that can give them access to directly interface your networked computers, phones and gaming systems. All the passwords that were saved in the browser, unencrypted bank information and nude pictures on the computers belong to the creepy neighbor. Lucky neighbor, eh? And you thought they were smiling at you because they were friendly.
This is all preventable with some configuration. If you don’t feel comfortable doing it yourself, your provider will walk you through it. Log in, using the IP in the direction, and put in the admin name and password. Once logged into the router, SSID can be changed to something non-standard. Obviously the both the admin password and the PSK (that is the password to connect to the WiFi) should also be changed.
There is often an option to make the wireless network hidden. This isn’t hard to achieve! That just means the router wont alert the world to its existence. The only added complication with using a hidden wireless network is that you have to type in the SSID, when you are connecting to it, instead of picking it out of a list.
Most routers can restrict access to only allow certain MAC addresses. Typing “How do I find out my computer’s MAC address” into DuckDuckGo will give any user enough information to determine what their machine’s MAC is. Then the network administrator can limit access to just the expected devices in house. This is great for security, but it is a huge pain when your buddy comes over with his tablet, asking about your WiFi. You can keep this option off, add guests to the accepted MAC list, or you can tell him you don’t have Wifi. Remember, your router is hidden.
ISPs, the government, and surfed websites are able to record internet activity, and personal information, including identifying IP addresses. Sometimes they can get worse info than that. Unfortunately, website admin may not be trustworthy with that information, and historically, the government has been shown to misuse these kinds of data as well.
There are a few things that can be done to undermine their efforts to impose themselves on privacy. A VPN service, like http://www.hidemyass.com/, can be used to send web traffic through a non-identifying IP address. There are tons of VPN options, but be careful, the people that run that VPN will have all of your information. An attacker can easily pose as a working VPN service, especially a government attacker. There are many legitimate options available though. Research it. If you are willing to pay for the service, available options expand dramatically.
A good VPN will have hundreds or thousands or VPN servers throughout the world. That means sent traffic gets shuffled around the world. Ones that don’t connect to the same server all the time are better. Servers that users connect to in Sweden before traffic is routed elsewhere are the absolute best. Their privacy laws mean government tyrants wont be able to force the company to give up information about you or censor the internet easily. Only the server the originating machine interfaces with would be capable of gathering identifying information.
Although this is a powerful tool, it should never be the only tool that the discerning user relies on. Tor is an anonymizing onion proxy website. Duckduckgo it for more information. Their official website has loads of information about how it works and some of the amazing things that have been accomplished by oppressed people utilizing it.
Cookies and DOM write access can also undermine efforts to surf securely. Cookies can be used to track you, and gather data about you. Flash cookies are especially dangerous. They use a special kind of cookie that can contain much more information than a regular one. Something like Cookie Controller for firefox can be set to block all cookie requests and DOM write access, except for sites that you have pre-approved.
Browsers should always be set to delete all cookies and cache at the end of the session. That means that you will have to log in every time you close your browser, and while that may be slightly inconvenient, it is a lot better than what could happen to you if you don’t. Always play it safe.
Browser addons also execute code on your machine. There is a lot more freedom to what they can get away with too. It is recommended that you only install addons that you trust. If you don’t know who to trust, no addons is far superior to running a dangerous addon. However, the ones I posted and adblocker are perfectly safe.
SSL is a secure, encrypted connection between the browser and and internet. Not every site offers an SSL connection, but many do. Some websites, like Facebook, have it as a setting that can be selected. Turn it on. You can tell if a connection is using SSL in the URL bar. Addresses starting with http:// are not secure; those using https:// are. Remember that anyone in between the browser and the website can see all the information sent over a regular connection, if they know how to look. Never send passwords, credit card information or anything that could be used against you over an unencrypted channel!
Safe browsing and happy trails, you guys! Thanks for reading!
If you enjoyed this article by Shain, please consider sending a tip to: 1LB15XzvLBwZer35mLoCRpTuv2UFRerAwY