Why you should care: These days, almost everyone uses computers or “smart” phones (or internet-connected toys/refrigerators/thermostats). It’s difficult to avoid them. But everyone should know some basic things when using them, so that you don’t unwittingly give away your passwords, credit card numbers, or let your computer become a zombie in a botnet.
Security things to remember when using computers:
- Avoid insecure settings: When using a computer, there are often settings that are available that should not be available as a result of no longer being secure. For example, you should never set your wifi network with the WEP setting – instead, use WPA2. (I’m not sure if WPA is secure, because I didn’t look into it). Also, just because WPA2 is secure today doesn’t mean it will be in 5 years, so if you’re reading this a few years after today (2018-05-14), then make sure to read up on the whatever is secure in the day and time you’re reading this.
- “Attackers/hackers“: When you consider an “attacker” who is going to steal your information, don’t just think about someone who is somewhere on a computer ready to type commands and steal your information. Think of the internet as a giant underground network of tunnels that is set with booby traps (Indiana-Jones style). Many attacks have already been set and are already in place, waiting for an unwitting victim to make a mistake. Many of the spam/phishing emails are likely being sent from machines that have been set up on automated tasks a long time ago. There are probably computers/routers on the internet that are constantly trying to listen to everything that everyone does, waiting to see credit card information or a social security number in plaintext. That’s one of the many good reasons that we use HTTPS instead of plain-old HTTP.
- Social Engineering: When you’re browsing the internet and you get a warning about an invalid/missing certificate or an insecure connection, DON’T IGNORE IT!!!!! That’s how many of today’s hacks happen. Many computers are secure – it’s often the people who use them that make the attacks possible (zero-day flaws notwithstanding). That’s what is called “social engineering”.
- Keep your operating system and software up-to-date. There’s a reason we get updates, especially security updates – there’s a vulnerability, and someone figured out how to exploit it, and that’s why they patched it. Get the update. I know you don’t like when Windows says you have to update from Vista or 7 or 8 or whatever all the way up to 10(.103.8748.9874 or some crazy version number), but security is a good reason to update. If you don’t, then YOU MIGHT BECOME A PART OF THE BOTNET!!! (Wonder why computers with viruses run so slowly? It’s because they’re doing stuff in the background – performing DDoS attacks, searching your computer for your passwords and sending them off somewhere, and looking for other computers to infect.) So when half the internet comes down because a DDoS attack clogged up some DNS servers, it’s possible that you helped make that happen! Make sure you update your computer, and that your parents and uncles and aunts and grandparents update their computers too. Don’t become a hacker’s unwitting accomplice!
- Don’t use an IP address for authentication. Authentication means verifying someone’s identity. For example, when you visit https://google.com, the closed green lock in your browser address bar (really check that the spelling of google.com is correct) indicates that you’re on google.com, not on the website of an attacker who faked Google’s webpage. The green lock means you authenticated Google – you know it’s really Google. But sometimes it’s possible to use an IP address to open access/permissions to websites/servers.. but IP addresses can be compromised, faked/spoofed, or changed (dynamic). Extra layers of security should be kept or put in place for real authentication.
The Morris Worm of 1988 was a missed wake-up call. ~Professor Mark Stamp, San Jose State University, 2018-05-10.
The internet was not built with security in mind, because it was made by and for researchers at Universities and Government organizations. When the Morris Worm brought down the internet, instead of rebuilding the internet with security in mind, they just made some minor patches. That patching behavior continues to live on today. The internet could have potentially been much more secure if they had taken a more drastic approach in 1988.
If you’re interested in keeping up-to-date with current security vulnerabilities and patches, I recommend https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new. ICS stands for “Industrial Control Systems”, which won’t be of interest to most individuals, but US-CERT sends email updates on things like web-browser/operating-system vulnerabilities/updates. Here’s an example: “Email clients supporting the OpenPGP or S/MIME standards may be vulnerable to a CBC/CFB gadget attack which may allow an attacker to inject content into an encrypted email which would establish an exfiltration channel when decrypted by the victim’s email client. For example, injecting an HTML image tag which, when rendered by the email client, sends the plaintext as part of an HTTP request.” (https://www.kb.cert.org/vuls/id/122919).