PDA

View Full Version : Cybersecurity Tips For the Mildly Paranoid - USA Today Article Mar 13, 2017



RadDave
03-13-2017, 03:12 PM
Just read the short USA Today Article (http://ee.usatoday.com/Olive/ODN/USATSample/shared/ShowArticle.aspx?doc=USA%2F2017%2F03%2F12&entity=Ar00600&sk=4C339470) this morning - quoted below are the headings of most of the items discussed - believe I'm doing OK - could use stronger passwords and have a land line; don't do messaging and leave our computers and iDevices on, i.e. let them 'go to sleep' - I've read about 2-factor authentication and seems a pain; finally, not sure that I plan to use a 'camera cover' but understand the issue.

So, just a FYI article generated by the recent WikiLeaks documents release - thus, a thread for discussion and comments on some of these issues - how far should one go 'in the home', 'in the office', and 'on the road'? How crucial are addressing these items if on an Apple computer/device vs. PC machines? Dave :)


Donít Get Phished
Use Two-Factor Authentication
Use Secure Web Browsers
Use Strong Passwords
Install a Modern OS
Install Security Updates & Patches
Use a Security Program
Use Encrypted Messaging Software
Install a Camera Cover on Your Devices
Use a Land Line
Unplug & Turn Off Your Devices

Raz0rEdge
03-13-2017, 04:09 PM
I firmly believe that 2FA is essential with the proficiency used by scammers to compromise your account. A strong password is great, but adding the 2FA to that makes it a lot more safer. In regards to strong password, I've just relinquished control to a password manager to create ridiculous passwords that I could never remember. The password manager itself is secured with a VERY strong single password that I can remember and coupled with 2FA (not SMS based)

I concur with the other things on the list like keeping things updated. We use a private messaging system for work, and I stick with Hangouts for personal chats (primarily with my wife) that doesn't involve any sensitive information other than what to pick up from the store..

harryb2448
03-13-2017, 04:18 PM
Ashwin in my rural area of Australia, we do not have cable, everyone uses landline. What s the security weakness of satellite and cable, please?

Raz0rEdge
03-13-2017, 04:29 PM
Harry, in the context of VOIP phones, they are susceptible to eavesdropping since its essentially Internet traffic that can be captured and analyzed like anything else. Furthermore, most users don't (not even sure if hey can) do anything to control/secure that aspect of the system. When you get a phone line from your Cable or FiOS provider, you get a modem that will handle it all for you and it "just works" without you doing anything. But that isn't behind your Internet firewall or anything, it's directly sitting on the Internet. In this case, you are getting security by obscurity since I, at least, don't know the specific ports that are being used to provide that communication.

But it doesn't take much for people to probe the ports to figure out which ones are being used to communicate and I'm not sure what sort of security is in place for the voice call packets. Are they securely transmitted over a HTTPS tunnel? VPN? Are they hashed based on some secret key that only the provider knows and as such any intercepted packets are useless? Too many questions..

Satellite has all of these issues and worse because it's over the air which is a lot more susceptible to capture..

RadDave
03-13-2017, 04:58 PM
I firmly believe that 2FA is essential with the proficiency used by scammers to compromise your account. A strong password is great, but adding the 2FA to that makes it a lot more safer. In regards to strong password, I've just relinquished control to a password manager to create ridiculous passwords that I could never remember. The password manager itself is secured with a VERY strong single password that I can remember and coupled with 2FA (not SMS based)

I concur with the other things on the list like keeping things updated. We use a private messaging system for work, and I stick with Hangouts for personal chats (primarily with my wife) that doesn't involve any sensitive information other than what to pick up from the store..

Hi Ashwin - thanks for the posts - now, the 2FA is for your Apple ID - correct? My wife and I share an Apple ID but we have two different iCloud accounts so that we each get the free 5 GB for backups - any different considerations for that type of setup? And I have the Apple article on the topic tabbed in Safari, and will read shortly.

Another issue not discussed in the article is the use of non-protected Wi-Fi services, such as in an airport, hotel room, coffee shop, etc. - we have used these often but 'cyber-danger' exists in these wireless situations - I have several travel routers in which I can cabled my in-room ethernet and then w/ the device setup a WEP2 PW protected personal network - assume that may be better but not sure if the IT people 'monitoring' even this cabled connection could not gather data - would like to hear from others concerning how these connections 'on the road' are handled. Thanks. Dave :)

Cr00zng
03-13-2017, 05:02 PM
The importance of addressing these suggested tips is dependent on the usage of different platforms. For example, my work platform is Windows 8.1 and some of the tips are addressed. My MacOS isn't used that much, only for business purposes, more of a necessity forced on me by clients since some of them use this platform. As such, I rely on the builtin security protection.

My take on some of the tips...

"Donít Get Phished" - In another word, don't take the bait. This used to be a good advise, however, it's not that easy nowadays with the prevalence of malwertisement, especially on the Windows platform.

"Use Two-Factor Authentication" - Agree Dave... This is just a pain to implement at home and/or small businesses. On the other hand, it should be a must for financial services access over the web, recommended for cloud based storage and/or critical web based other accounts. Yes, most of them utilize text messages to your cell phone and it is vulnerable to exploits. Not to mention the privacy implications of providing your cell number to the site in question.

"Use Secure Web Browsers" - :D Really, is there such a thing? The closest to this requirement is the ToR browser, my standard browser. I only open IE/FF/Safari if and when I need to access financial and other sites.

"Use Strong Passwords" - This is an overkill in my view and unnecessarily complicates the end user's life. As long as one does not use easily guessable password on local systems, that should be just fine. People tend to forget that in order to crack a password, they'd need the password hash. In order to get the password hash, one would need admin/root access to the system and if they have this level of access, cracking is not necessary.

The web based account password isn't much different either. Most places don't encrypt the passwords as we learned in number of cases, when web services had been hacked. And even if they do, they use easily breakable encryption. So other than making it hard for the end users to remember passwords, the strong password really doesn't provide much protection.

"Use a Security Program" - One is not enough for the Windows platform, while one is too much for the MacOS... ;D My Windows systems have 4-5 different security protection and my MacBook has none...

"Use Encrypted Messaging Software" - Encryption is easy... On the other hand, decryption is hard... This is why encryption isn't as prevalent as it should be. I can send anyone an encrypted document and the chances are that the recipient cannot decrypt it. Yes, SSL/TLS makes it easy for over the web connections, but they are also vulnerable to MITM attacks. Then there's the MITB (Man in The Browser) attacks that can circumvent other type of encryption as well. Yeah, encryption isn't that simple...

One tip that I did not see is user accounts on systems. Admin/root accounts should not be used as standard user account for every day's tasks. Any malware getting on the system, where the end user have admin/root access, will be executed at the access level of the logged on user. In another word, the malware will have unlimited access to the system. I am not certain, if there are reports on the impact of this for the MacOS, but there are for the Windows:

http://learn.avecto.com/ms-vulnerabilities-report-14#download-defendpoint-form

The report states that "Of the 240 vulnerabilities in 2014 with a Critical rating, 97% were concluded to be mitigated by removing administrator rights". 'nuf said...

"Use a Land Line" - Um, use what???:D;D

Raz0rEdge
03-13-2017, 05:19 PM
Hi Ashwin - thanks for the posts - now, the 2FA is for your Apple ID - correct? My wife and I share an Apple ID but we have two different iCloud accounts so that we each get the free 5 GB for backups - any different considerations for that type of setup? And I have the Apple article on the topic tabbed in Safari, and will read shortly.

Another issue not discussed in the article is the use of non-protected Wi-Fi services, such as in an airport, hotel room, coffee shop, etc. - we have used these often but 'cyber-danger' exists in these wireless situations - I have several travel routers in which I can cabled my in-room ethernet and then w/ the device setup a WEP2 PW protected personal network - assume that may be better but not sure if the IT people 'monitoring' even this cabled connection could not gather data - would like to hear from others concerning how these connections 'on the road' are handled. Thanks. Dave :)

Dave, the 2FA is more global than that. I haven't enabled 2FA for my Apple ID yet because their implementation is quite bad. But I have it enabled for Facebook, GMail, LastPass (my password manager), My bank and other financial institutions. When it becomes a part of your normal behavior, it doesn't seem like that much of a hassle. You can either use the Google Authenticator (https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8), LastPass Authenticator (https://itunes.apple.com/us/app/lastpass-authenticator/id1079110004?mt=8) or Authy (https://www.authy.com/) for starters as the app that will generate the tokens. You can load up various websites in these applications and when you enter your password, you'll be asked for the 6 digit code to get through. For my home machine (the one only I use) I choose to remember the 2FA code for 30 days (or however long they support) so that I'm not constantly doing it.

Apple 2FA is SMS based and I find that to be flawed since if you lose your phone, you can get compromised very quickly. At least with these apps, you can secure it with a pin code or touch ID or something to add a extra layer..

Public WiFi's are prone to issues in general and should not be used for anything secure. Even traveling with your WiFi access point and plugging into a hotel room Ethernet port is prone to issues as you've figured out, you don't have any idea what is in between your connection and routers in the hotel before you actually get out to the Internet. In these situations (where you can't know for certain how you are getting to the Internet), it is vital to employ a VPN.

There was a story a while back about certain people faking root certificates or overwriting them so that you couldn't verify the authenticity of an HTTPS connection. So the VPN would greatly help in this situation..

MacInWin
03-14-2017, 12:27 AM
People tend to forget that in order to crack a password, they'd need the password hash.Not really true. With access to system, brute force can be used, particularly if the password is a word in the dictionary. If you want to do it "elegantly" then starting with the hash would be nice, but not necessary if all you want is IN.

badshoehabit
03-14-2017, 10:59 AM
If you believe Kellyanne 'microwave' Conway you would need to wrap everything, including your head, in tin foil!:D

Yamaha Pat
03-15-2017, 12:45 AM
I'm mildly paranoid. Is there a way to find out if someone is hooking up with your wifi at home?

Pat

MacInWin
03-15-2017, 01:05 AM
Yamaha Pat, you can log into your Wifi router's administrative functions and see what devices are connected. You'll have to research your particular Wifi router for that.

Given you are paranoid, I presume you HAVE set a strong password on your wifi router, right? And you are using WPA2 protocol?

RadDave
03-15-2017, 01:18 AM
I'm mildly paranoid. Is there a way to find out if someone is hooking up with your wifi at home?


First, thanks all for your continuing comments - please continue - still interested in the best ways to handle Wi-Fi 'on the road' - Susan and I start our trips (most by car) in March-April and use Wi-Fi in hotels at all stops - is VPN the best way to go?

Second @ Pat - you can monitor your home LAN and also Wi-Fi networks in your vicinity - first image below is from an iPad app called FING which shows 15 devices connected to my home Wi-Fi network - all are my own, and I assume one not recognized would likely be listed. The second image is from an app Wi-Fi Explorer on my MBPro showing detectable networks in my vicinity - 4 are those broadcasted by my AP Extreme router - the rest are 'neighbors' - NOW, I'm assuming that you have a protected wireless home network - I'm using WPA2 (all of the locks seen on the second image) - also, don't allow setup over WAN - hope this helps. Dave :)
.
26099
.
26101

Cr00zng
03-15-2017, 12:51 PM
Not really true. With access to system, brute force can be used, particularly if the password is a word in the dictionary. If you want to do it "elegantly" then starting with the hash would be nice, but not necessary if all you want is IN.
Somewhat disagree... Guessing passwords is not = to cracking passwords; in my view, they are different albeit somewhat related.

The effectiveness of guessing passwords can be limited by a. use non-dictionary password and b. system limiting the the number of password entries prior to locking the account. Cracking passwords does not have these limitation. Having physical access to a system is "game-over" anyway, regardless of the password strength and lockout policy if and when the system drive is not encrypted. I prefer SED, or Self Encrypting Drives for this purpose over the software based drive encryption.

Cr00zng
03-15-2017, 01:10 PM
First, thanks all for your continuing comments - please continue - still interested in the best ways to handle Wi-Fi 'on the road' - Susan and I start our trips (most by car) in March-April and use Wi-Fi in hotels at all stops - is VPN the best way to go?
VPN will help protecting your data, when using transferring data over the internet, getting emails, etc. Just keep in mind that the system services, if enabled, are accessible from the local network, be that wired and/or wireless. For this reason, the firewall should block all incoming connection attempt at public WiFi spots.

Some anecdotal security measures that I'll take, when traveling with or without my better half. I pack a WiFi broadband router that is connected to the hotel's wired network. The router blocks all incoming connections, while WiFi DHCP disabled, IP address scope limited and MAC address filtering enabled. And still, the firewall is enabled on the laptops.

PS: Yes, the WiFi uses WPA2 based encryption with pre-shared key...


Second @ Pat - you can monitor your home LAN and also Wi-Fi networks in your vicinity - first image below is from an iPad app called FING which shows 15 devices connected to my home Wi-Fi network - all are my own, and I assume one not recognized would likely be listed. The second image is from an app Wi-Fi Explorer on my MBPro showing detectable networks in my vicinity - 4 are those broadcasted by my AP Extreme router - the rest are 'neighbors' - NOW, I'm assuming that you have a protected wireless home network - I'm using WPA2 (all of the locks seen on the second image) - also, don't allow setup over WAN - hope this helps. Dave :)


Good advise Dave, thanks...

I also enable MAC address filtering in my home network. While I am aware that it is just a speed-bump for hackers, it'll stop casual wanna be hackers...

RadDave
03-15-2017, 02:13 PM
VPN will help protecting your data, when using transferring data over the internet, getting emails, etc. Just keep in mind that the system services, if enabled, are accessible from the local network, be that wired and/or wireless. For this reason, the firewall should block all incoming connection attempt at public WiFi spots..........

What we take 'on the road' are iDevices (which do not have firewall settings) and my MBAir (Firewall ON) - our rules while traveling are emails, forums, and web browsing (no banking, purchases, or other personal/financial data) - concerning VPN, I used one at home when working (had to check my X-ray reports, patient records, and view exams), but have not used one in retirement - this PC Mag Article (http://www.pcmag.com/article2/0,2817,2403388,00.asp) is recent and outlines their top VPN choices, nearly all cost, so for a 'once a month' traveller needing this service, value vs. quality would be important, i.e. don't really need a 'continuous' plan - 'pay as you use' would be a nice choice - SO, for those reading this note and using a VPN at public hot-spots, which ones are recommended at the best prices?


VPN will help protecting your data, when using transferring data over the internet, getting emails, etc. Just keep in mind that the system services, if enabled, are accessible from the local network, be that wired and/or wireless. For this reason, the firewall should block all incoming connection attempt at public WiFi spots.

Some anecdotal security measures that I'll take, when traveling with or without my better half. I pack a WiFi broadband router that is connected to the hotel's wired network. The router blocks all incoming connections, while WiFi DHCP disabled, IP address scope limited and MAC address filtering enabled. And still, the firewall is enabled on the laptops.

PS: Yes, the WiFi uses WPA2 based encryption with pre-shared key...........

As to a travel Wi-Fi router, I own the 2 below - the Zuni is an older model (that seems to not be made anymore but still works); the RavPower FileHub is an all purpose device (i.e. wireless file transfer to a SD card, Wi-Fi AP w/ cabled ethernet, and battery backup) and more recently purchased - I've transferred files from my iPad w/ their app only - not sure how well it works as an AP - my question using either of these devices in a hotel room is that w/ WEP2 set, an 'incoming attack' would be prevented, but 'outgoing information' could still be caught in the middle and deciphered - correct? In the past, some hotels use to charge a fee/device for Wi-Fi access hence the reason I bought the Zuni a while back (i.e. buy one ethernet connection and setup the personal Wi-Fi hotspot and connect all iDevices + laptop).

Thus, the VPN would seem the best option to handle personal traffic over an unprotected Wi-Fi hot spot, but at a cost - the router would not be an extra charge and offers 'half way' protection in my mind - again any thoughts appreciated from others dealing w/ these issues. Thanks - Dave :)
.
26105
.
26106

Cr00zng
03-15-2017, 04:03 PM
Yes, VPN will prevent public networks intercepting/decoding your internet communications, as long as the traffic is in the VPN. However, there are other options as well...

You don't necessarily need to subscribe for a VPN service, you could just have a VPN connection back to your home broadband router. Most of them support limited number of VPN client connections. Setting up such is dependent on the broadband router and it's firmware, but manufacturers do make it easy as of late.

The other option for secure web access is the built-in VPN capabilities for browsers, such as Opera and ToR. The latter one isn't really a VPN, AES encryption between routers, but the result is the same. Just keep in mind that at the exit nodes the network traffic maybe plaintext, depending where the connection made. And yes, do use DNSCrypt that will encrypt your DNS queries for website addresses.

Raz0rEdge
03-16-2017, 11:44 AM
An appropriately time article about protecting yourself from Gizmodo: http://fieldguide.gizmodo.com/8-extensions-that-should-make-your-browser-a-little-mor-1793325559