In May 2017, more than 230,000 computers around the world were taken hostage by the WannaCry malware worm. Known as ransomware, the unknown developers surreptitiously gained control of computers running the Microsoft Windows operating system, encrypted the users’ data, and demanded a payment of $300 in untraceable bitcoins to unlock the system and access information.
Cyber-attacks occur across borders and range from simple email “phishing” efforts to sophisticated software programs that quickly expand the attacks and hide the identity of the perpetrators. Motives of cyber criminals range from vanity (proving one’s technical expertise) to illegal profit. Some attacks are politically motivated while others are rarely publicized, state-sponsored sabotage. The attacks affect individuals, businesses, and governments.
According to a report by the Ponemon Institute, a successful hacker earns $14,711 for each attack and has 8.26 successful attacks per year. Sophisticated hacking tools are readily available on the Internet, especially the Dark Web. The criminals and the curious are stepping up their efforts to invade your privacy and steal your money. What actions can you take to harden the target and protect your assets?
What actions can you take to harden the target and protect your assets?
Understand the Enemy
Malicious software can wreak havoc on your computer or operate covertly in the background. Malware (The Creeper Worm) was first detected on the ARPANET, the forerunner of the Internet, in the early 1970s. Since that time, spurred by the growth of personal computers and connected communication networks, many different types of malware have appeared, including:
- Trojans: The most common malware is based on the Greek strategy to invade Troy: the Trojan Horse. In this case, users are tricked into allowing an outsider unlimited access to their computers by clicking on an unsafe Internet link, opening an email attachment, or completing a form. By themselves, Trojans are delivery vehicles, providing a “backdoor” into a computer or network. As a consequence, they open the door for malicious software to steal data, compromise operating systems, or spy on users. Trojans do not replicate themselves and spread to other devices like a virus or a worm.
- Viruses: Just as a biological virus is transmitted to unsuspecting hosts, a computer virus replicates itself and infects new computers, then modifies operating programs to malfunction. Some have called viruses “diseases of machinery,” a term first coined in the 1972 futuristic film “Westworld.” One of the early viruses – Love Letter – delivered by an email with the subject line “I Love You” and an attachment “L0VE-LETTER-FOR-YOU.TXT” – attacked 55 million computers worldwide and caused an estimated $10 billion in damage, according to Wired magazine.
- Worms: Unlike viruses, worms are software programs that travel from computer to computer on a network without any human action. A worm moves through the same network connections that computers use to communicate. For example, a worm could send a copy of itself to everyone listed in an email address book without knowledge of the sender and continue the cycle indefinitely with each new contact. The result can be an overloaded system, or worse, if combined with a virus – a blended threat. In 2008, one of the most notorious and widespread worms of all time, Conficker, appeared and created a worldwide botnet with millions of computers under its control. In 2009, Microsoft offered a $250,000 reward for the arrest and conviction of those who launched the worm on the Internet; the reward remains uncollected, and the purpose of the original authors is unknown. Nevertheless, versions of Conflicker continue to exist today and have appeared on connected MRI machines, CT scanners, dialysis pumps, and police body cameras.
- Bots: Bots are automated processes that interact with other network services. These Internet robots are used to gather information and respond automatically to instant messaging, chat, and other web interfaces. Bots are used for beneficial or benign purposes, but can be exploited to self-propagate, connect throughout the network of connected devices, and remotely control attacks against vulnerable targets. Sometimes referred to as “zombies,” bots are more versatile than viruses or worms because they have the ability to log keystrokes, collect passwords, capture and analyze packets of information, gather financial information, launch DoS (Denial of Service) attacks, relay spam, and open backdoors on infected computers. They are more versatile, easily modified, and difficult to detect. Advertising Age reported in 2015 that Internet ad-fraud by bots mimicking human beings earned $18.5 billion annually.
Potential Consequences of an Attack
The United States Congress is currently investigating several instances of alleged hacking by Russian agents that occurred during the 2016 presidential election. In the Philippines, a data breach by the hacker group Anonymous Philippines and the theft of encrypted and unencrypted biometric data affected 55 million voters. In 2017, newly elected French President Emmanuel Macron and his subordinates complained of cyber-attacks during the country’s presidential campaign.
In February 2016, hackers stole records for almost 30,000 employees of the FBI and Homeland Security. In 2015, a data breach reported by the Internal Revenue Service exposed tax information on more than 700,000 individuals. That same year, the Federal Government’s Office of Personnel Management announced the theft of personal information for more than 21 million federal employees and contractors.
Governments are not the only targets. According to the Heritage Foundation, cyber intruders hacked multiple company databases in 2016, including Hyatt Hotels Corporation, Alliance Health, Wendy’s Restaurants, Citibank, and Banner Health. The victims also included leading social network companies, such as Yahoo, Dropbox, Myspace, and LinkedIn. The consequences of hacking affect all web visitors in a variety of ways.
Potentially Unwanted Programs
Potentially Unwanted Programs (PUPs) include adware and programs that slow your computer down, track you, and clutter your screen with advertisements. According to How-To Geek, all of the free Windows and Mac software download sites bundle PuPs with their freeware. Once installed, the software loads advertising that obstructs content or interrupts web browsing with unwanted pop-up and pop-under windows. It can also hijack search engines and home pages, install toolbars, redirect Web pages, alter search results, and display false ads.
Distributed Denial of Service
In 2016, Distributed Denial of Service (DDoS) attacks affected some of the major technology companies on the Internet, limiting access to websites like Twitter, PayPal, and Spotify. According to Al Jazeera, that particular attack focused on the web traffic processor Dyn and used hundreds of thousands of connected devices, including webcams and digital video recorders that had previously been infected with malware. Even WikiLeaks founder Julian Assange’s Internet connection was affected.
The danger of DDoS attacks cannot be overstated since critical infrastructure – power systems, hospitals, air traffic systems, police and fire units, money transfer systems – could go offline and be unavailable to provide necessary services. An Incapsula survey estimates that the average DDoS attack costs its victim $40,000 per hour, with a median cost per incident of $500,000. Over 90% of the 270 U.S. companies that responded to the survey reported a DDoS attack over the last year, while two-thirds of the companies had been targeted two or more times.
Spyware is software that is secretly loaded on an electronic device and can track keystrokes typed on a computer or phone keyboard, monitor data entered into digital forms, or record audio and video information covertly. Adware – while less intrusive than most malware – is another form of spyware and is used by advertisers and web hosts to target advertising content.
Software downloaded from the Internet often includes spyware. It can also be covertly downloaded while visiting certain Web pages, especially pornographic sites. The pages contain scripts that automatically trigger a spyware download that opens as soon as the page is accessed.
In a case involving the Lower Merion School District of Pennsylvania, 2,300 MacBooks issued by the District contained spyware that secretly snapped thousands of webcam pictures of students at home, in bed, and partially dressed. According to Wired magazine, the District agreed to pay $610,000 to two students and their attorneys. Another case involved pictures of Miss Teen USA that were taken using her webcam as she changed.
It is legal to sell spy software – a Remote Administration Tool (RAT) for computers and electronic devices. While it is illegal to use such software beyond the workplace, enforcing these rules is difficult at best.
The most common result of a computer hack is the theft of critical or confidential information that can be used to impersonate others electronically – identity theft – or blackmail those who would suffer if the information were released. Criminals use personal information to steal:
- Tax Refunds. The perpetrator files a false return using a stolen Social Security Number and receives a refund before the real return is filed.
- Medical Services. Using health insurance information, the thief convinces the health-care provider to send fraudulent bills to the insurance company.
- Property and Financial Assets. Social Security Numbers for children and seniors are especially valuable for opening credit card accounts and applying for government benefits. Neither group is likely to notice the new accounts or changes in their credit standing.
In attacks like WannaCry, companies and individuals are threatened with extortion after embarrassing or proprietary information has been taken. The Los Angeles Times reported in 2017 that a digital copy of the fifth installment of the Disney movie “Pirates of the Caribbean: Dead Men Tell No Tales” was hacked. The thieves threatened to release the film in segments, a scheme likely to devastate box office demand, unless Disney paid the ransom.
Cybersecurity Ventures estimates that the costs of global cybercrime will rise to more than $6 trillion annually by 2021. As a consequence, it’s not surprising that organizations will also increase their budgets to protect their information assets. In a Forbes magazine article, Cybersecurity Ventures CEO Steve Morgan estimated the market for defense against cyber-attacks would reach $170 billion in 2020 – up from $77 billion in 2015. He notes that the federal government has spent over $100 billion on cybersecurity during the last decade.
The estimate for security costs does not include those paid by small companies and consumers for personal identity theft protection services, computer and mobile phone repair services to remove malware and viruses, installation of antivirus and malware protection software, or post-breach services like data recovery and user education on best practices for personal cyber defense. There are no estimates for lost productivity as the result of hacks, nor for the frustration and anger experienced by victims of a cyber-attack.
A drawback to living in the Information Age is that every electronic device capable of communicating with other devices is subject to hacking and malware. The Internet is saturated with tools and manuals explaining memory chips and programming languages to modify factory-manufactured devices, even those with wireless connections. Unfortunately, there are plenty of shady people who are eager to take advantage of the technological gaps.
The term “hacker” is controversial in the security world. It can refer to someone who compromises computer security, or a skilled developer of free software. Insiders prefer to use the terms “black-hats” and “white-hats” to distinguish between the good and bad guys:
- Black-Hats: These hackers violate computer security for personal gain (such as stealing credit card numbers) or for purely malicious reasons (organizing a botnet to perform DDoS attacks against websites they don’t like).
- White-Hats: They’re the “ethical hackers” – experts at compromising computer security systems who are employed to test an organization’s computer security systems (“penetration testing”). While this work is similar to that of a black-hat, the white-hat hacker reports back to the organization and informs them about how they gained access; this allows the company to improve their defenses.
Black Hat Security and DefCon conferences are held around the world. The meetings enable security professionals to identify and create effective countermeasures for future hacks. At each conference, attendees employ burner phones, use pen and paper instead of a laptop, and pay with cash rather than credit cards.
According to USA Today, these tactics are necessary because the conferences are “attended by thousands of people with the tools and knowledge to break into just about every system imaginable.” Past conferences have demonstrated how to:
- Disarm home security systems
- Open and start a locked car without a key
- Take over a moving car to turn, slam on the brakes, or speed up
- Take over an FM-radio digital channel and deliver fake traffic alerts
- Avoid paying traffic tolls or disrupt traffic management systems
- Transmit false messages to commercial airlines
- Interrupt pagers and medical devices
- Replace the uplink transmissions on a television broadcast satellite with the hacker’s own feed
How to Protect Your Information
American novelist Thomas Pynchon supposedly said, “Paranoia’s the garlic in life’s kitchen, right; you can never have too much of it.” However, taken too far, paranoia will cause one to miss out on many of the benefits of the modern age.
An acquaintance of mine is so concerned about the potential loss of his private data that he refuses to use a phone with texting or Internet capabilities, relies on paper checks and deposit slips to pay his bills, and uses a standalone computer without Internet. He drives a 2000 Mercedes C-Class and relies on a 120-pound German Shepherd for home security. Fortunately, there are steps you can take that will reduce the threat of information theft without losing the comforts and conveniences of modern technology.
Manufacturers typically ship computers and mobile phones with a particular operating system (OS). Most PCs ship with the latest version of the Windows operating system – currently Windows 10. Apple computers use the Mac operating system (currently macOS High Sierra for computers and iOS 10 for iPhones). Be aware that Windows is the most popular target for hackers, simply because it dominates the market (90.6% market share). As a consequence, many computer security professionals consider lesser known operating systems to be more secure. When configuring a new device or operating system, privacy settings should be the first order of business.
To make your device more secure, take the following steps.
1. Determine the Installed Operating System
If you decide to change the OS, you will need a bootable USB drive capable of overriding your current OS’s boot process. You may also need to reformat the hard drive to use the new OS. Before deciding to replace the existing OS, consider that it is closely aligned with the hardware. Furthermore, the developers of all operating systems are constantly upgrading the program to foil hackers and correct minor programming errors. Changing the OS may not be worth the time and effort involved to complete the process.
2. Keep Your OS Up-To-Date
Be aware of recent patches and fixes recommended by the OS vendor and regularly install the latest updates to protect against new malware. Run the latest OS version on your cell phone. Check for updates automatically if the option is available.
3. Review the Privacy Settings on Your Device
Developers are constantly upgrading user-controlled privacy and security settings on hardware. SecurityIntelligence recommends nine tips for Windows 10 users, and Macworld provides similar tips for the Apple operating system. Some experts recommend the MyPermissions tool as an easy solution to check your permission settings across a multitude of apps, receive reminders to clean undesired or out-of-date permissions with mobile-friendly apps, and get alerts when apps access your confidential information so that you can remove them with a single click. The tool is available for Microsoft, Apple, and Android operating systems.
4. Enable Remote Location and Device-Wiping for Mobile Devices
If your gadget is lost or stolen, tracking apps can tell you exactly where it is. These apps also let you wipe sensitive information remotely. “If your phone does end up landing in the wrong hands, you can at least make sure they don’t get your information,” says Kim Komando, host of a popular radio show about technology.
Use pass locks on your phone and rely on a full alphanumeric password. While biometric lock systems are becoming popular, most experts do not consider them as secure as a carefully designed password. Consider using a vault app – an application that hides data on a smartphone and requires a password – even though it theoretically could be cracked by an experienced, persistent hacker.
Disable Bluetooth when you’re not using it. According to Kaspersky Lab, the only way to completely prevent attackers from exploiting the permission request/grant process is to power off your device’s Bluetooth function when you’re not using it – not putting it into an invisible or undetectable mode, but completely turning it off.
5. Install Antivirus and Anti-Spy Software
While some software programs claim to have both anti-spy and antivirus capabilities, most experts recommend a layered approach – multiple programs that run side by side to catch threats. Be aware that no antivirus or anti-spy program will provide 100% protection.
Some consumer groups have questioned the wisdom of purchasing anti-malware software; instead, they recommend users be proactive in their browsing habits, even when they have malware protection:
- Review all Software Documentation Before You Agree to Download a Program. You might not be aware that you agreed to the spyware installation because your consent was buried in an end user license agreement (EULA).
- Be Cautious About Clicking on Pop-Up Boxes. Spyware programs may create a pop-up box where you can click “yes” or “no” to a particular question. If you click on either choice, your browser may be tricked into thinking you initiated a download for spyware.
- Avoid Free Anti-Spyware Programs or Those From an Unknown Site. Hackers have begun to package spyware in these free programs.
- Be Wary of Unknown Email Attachments. Scan email attachments before downloading and opening them, especially if they are from an unknown sender.
- Keep Anti-Malware Software Updated to Ensure You Have the Latest Protections. Always be sure to keep anti-malware and antivirus software up-to-date to ensure your devices are protected.
6. Install a Firewall
Every computer that is connected to the Internet should run a firewall at all times. Microsoft, Apple, and Linux operating systems have built-in firewalls (software firewalls) that most computer professionals consider adequate for consumer protection, but third-party alternatives are available. Microsoft OS comes with the firewall turned on, but you will need to enable the Apple or Linux firewall programs. Be sure to configure your preferred firewall through the Security/Privacy area of the System Settings. Do not run two software firewalls simultaneously, as they might conflict.
Most wired and wireless routers – the network device that sits between your computer and modem – come with effective firewalls if properly configured. Use only routers that support encryption via WPA or WPA2. For maximum security:
- Change the Name of Your Router. The default ID – called a “service set identifier” (SSID) or “extended service set identifier” (ESSID) – is assigned by the manufacturer. Change your router to a name that is unique to you and won’t be easily guessed by others.
- Turn Off SSID Broadcasting to Hide Your Wi-Fi Network. This step will reduce the visibility of your network to others. The only way to connect to a wireless network with SSID Broadcasting turned off is to know the SSID name and password.
- Change the Preset Password on Your Router. When creating a new password, make sure it is long and strong and uses a mix of numbers, letters, and symbols.
- Review the Security Options. When choosing your router’s level of security, opt for WPA2, if available, or WPA. They are more secure than the WEP option. Consider encrypting the data on your network for more security.
- Create a Guest Password. Some routers allow for guests to use the network via a separate password. If you have many visitors to your home, it’s a good idea to set up a guest network.
7. Select a Secure Browser
Browsers have various security and privacy settings that you should review and set to the level you desire. For example, most browsers give you the ability to limit websites’ tracking of your movements, increasing your privacy and security. The Mozilla Firefox browser is popular because of its add-ons that strengthen security:
- Better Privacy: “Flash cookies” (sometimes known as “super cookies”) are difficult to detect and remove, since normal procedures for removing cookies – clearing the history, erasing the cache, or choosing a “delete private data” option within the browser – do not affect flash cookies.
- HTTPS Everywhere: This browser extension ensures that you use encrypted connections whenever possible. The program makes it easier to keep your usernames, passwords, and browsing histories private.
For more information on these programs and other tips on browser security, visit Heimdal Security’s Safe Browsing Guide. And always keep your browser up-to-date.
8. Practice Good Password Habits
Passwords are frequently the only thing protecting your private information from prying eyes. Unless you suspect your information has been exposed, there is no need to change passwords if you use strong passwords initially. A good password strategy requires you to:
- Exclude Personally Identifiable Information. Exclude information like Social Security Numbers, phone numbers, and addresses from passwords.
- Substitute Soundalike Numbers or Letters for Words. For example “k9” for “canine,” “c” for “see,” “M8” for “mate,” or “n2” for “into.”
- Use a Passphrase. Using a passphrase (“14theMoney,” for example)is more effective than using a single word. Combining the first letter of each word in a favorite phrase with numbers and special characters is also effective.
- Limit Each Password to a Single Account. Group the accounts by function – social media, financial information, work – and use a different approach for creating passwords within each function.
- Consider Password Management Software. Consider software that generates, stores, and retrieves your passwords from an encrypted database if you have multiple accounts. Note that the trade-off for the convenience of a manager is easy access to all of your accounts if the manager is hacked. LastPass and 1Password are popular password management systems you can use.
- Use a Multifactor Verification Option. In addition to your password, access requires you to enter a second code when you sign in. The codes are frequently changed and delivered to your smartphone in real time.
The best practice is to never write your passwords down. Unfortunately, if you forget your password, a reset is necessary. According to LifeHacker, the password recovery process may enable a hacker to reset your password and lock you out of your account. For more protection, use security questions that are not easily answered and have the password reset go to a separate email account designed for resets only.
Many of the latest models of cell phones use a fingerprint for access. The software converts the image of your fingerprint to a mathematical representation of a fingerprint that cannot be reverse engineered, then stores it in a secure enclave within the phone’s chip. Most phones also provide access by a passcode if necessary.
9. Exercise Good Browsing Habits
While the benefits of the Internet are incalculable, the risks for the unwary are high. When browsing the Internet, take the following steps to minimize the possibility that your data might be compromised:
- Ensure the Website You Visit is Secure. Use “https://” rather than “http://” in your searches. While a bit slower to type, most computer professionals believe the extra security is worth the inconvenience.
- Block Pop-Up Ads. Even on legitimate websites, if possible. Pop-ups are a favorite avenue for hackers to gain access to computers. Fortunately, infecting a computer or network requires some action by the user to install the malware, such as clicking a link, downloading software, or opening an attachment (a Word or PDF file) in an email.
- Never Visit Questionable Websites. If you’re not sure if a site is secure, verify it first with online site checking services, such as Norton Safe Web. Never run pirated software; hackers use attractive and free prices on software to attract traffic.
- Download From Trusted Sources. Unless proper security measures are in place, even trusted sites are vulnerable. Always scan for malware before opening any new software or files. If you are concerned that a site is used for phishing, enter an incorrect password. A phishing site will accept an incorrect password, while a legitimate site won’t.
- Distrust Free Wi-Fi. When using a Wi-Fi connection at your local café, always assume someone is eavesdropping on your connection and take the appropriate security measures.
Social networks, such as Facebook and LinkedIn, as well as email and instant messaging services, are popular with hackers and scammers since messages can appear to be from trusted sources. Here are some tips to protect yourself on these sites:
- Use Security and Privacy Settings. Use these settings on social media sites to control access to your information.
- Be Careful What Files You Open. Even if the email claims to be from the government or your bank, don’t click on links embedded in email messages. Beware of email attachments from unknown people.
- Avoid Calling Unknown Telephone Numbers. Don’t call unknown numbers in an unsolicited email unless you have confirmed that it is a legitimate number.
Programs like Proton mail provide encrypted end-to-end emails. WhatsApp and Dust provide similar capabilities for instant messaging, and the latter also offers the ability to erase content after a predetermined interval.
10. Perform Regular Backups
While your computer may be an expensive asset, it is replaceable. However, the data and personal records on your computer may be difficult or impossible to replace. Unless you take steps to protect yourself from hardware failure or cyber intrusions, there is always the possibility that something will destroy your data.
Use a dual strategy to ensure your data stays safe by combining an encrypted, external hard drive with an online backup service. Windows’ BitLocker and Apple’s FileVault allow users to encrypt data easily, and there are a number of third-party cloud backup services available.
The personal security landscape is constantly evolving as black- and white-hats develop new measures and counter-strategies. Implementing these tips should provide adequate data protection for most consumers. However, for those seeking extreme protection, follow the tips of Darren Graham-Smith in his Guardian article.
Regardless of the steps taken to protect your data, your best bet is a liberal application of common sense. Keep software up-to-date, use anti-malware programs, avoid opening files and applications from strangers or unknown sites, and be sure your backup is current. Finally, turn off your computer when you aren’t using it – the surest way to avoid intrusions.
Have you been hacked? Are you worried about someone stealing your confidential information? What security measures do you have in place?