Technology has become ubiquitous in today's world and will be even more so in the years ahead. While it has made life better in so many ways, it has created new risks that range from petty annoyances to financial ruin. And it now has the potential to physically harm or even kill - through cyberweapons, the Internet of Things (IoT), and self-driving cars.
These aren't reasons to abandon technology, though. Ultimately, the impact of technology now and in the future comes down to how we choose use it (for instance, right now you could text a friend who's going through a hard time, or you could humiliate them on social media).
Unfortunately, there will always be people who misuse and abuse technology. Consequently, each of us needs to make decisions on a daily basis as to how much risk we want to expose ourselves to; and because some of these problems are too large for any one individual or company to handle, we'll need to be active and knowledgeable participants in public debates as new government regulations are likely to be enacted.
In order to appropriately assess risks, stay protected, and participate in debates as an informed citizen, each person needs to understand what risks are out there, why those risks exist, and cultivate a security mindset (at least at a basic level).
It should be noted, though, that a complication arises in cybersecurity with how we assess how secure we are. Just because we feel safe (e.g., when Chrome displays a green lock next to the URL) doesn't mean that we actually are safe. This is completely different from how humans have assessed risk throughout human history. Generally speaking, if we felt safe, then we were safe (e.g., we live in an area with low crime rates and no one's broken our windows, so we feel and are safe). This oddity with cybersecurity has given rise to security theater, which is where policies are enacted to increase security (and make us feel more secure) but don't actually achieve that goal. Regrettably, security theater is performed by many organizations, including the TSA.
Because of this reality, we can't just change a few settings and feel completely safe. My biggest hope is that this site will help you develop a security mindset. However, each person is comfortable with different levels of risk in their life, so I'm not going to say, "You must absolutely do this or else..." Rather, I'll talk about various risks, their consequences, and solutions to lessen those risks. You can then decide what you want to do. Will there be principles that I highly recommend you practice? Of course. But I also understand that you may be comfortable with more risk than I am. Ultimately, I want you to act knowing the landscape rather than making decisions blindly.
Listed below are topics that will help you be safer, better informed, and create a security mindset.
Note: Nothing and no one can ever be 100% secure. If somone or a product claims to offer 100% security, they're intentionally misleading you, incompetent, or maybe a bit of both. While forming good habits will lower your chances of becoming a victim, we live in a connected world, and your information can still be compromised if other entities don't secure their systems or protect your personal data.
This site does not cover every security topic, nor does it teach you how to hack. There are so many subjects and angles to approach security from that, even at an introductory level, an exhaustive discussion on this site isn't feasible.
Technology is everywhere and has brought opportunities and risks. This site helps you develop a security mindset so you can be safer online and an informed citizen. It does not teach you how to hack.
This section covers three main areas where risks occur (digital, physical and social engineering) and specific risks within each of those categories.
This section discusses mass surveillance, encryption, cyberweapons, privacy, and government regulations.
This section talks about security as a mindset and provides resources to mitigate against risks, protect privacy, and lists trustworthy security news sites/where you can learn more.
Attackers will often use these three categories together in an attack. Click on the links below to learn more.
There are four main types attackers. Each has its own skill level and targets:
In order to better understand digital risks, it's good to have a basic understanding of how computers (e.g., laptops/desktops, servers, smartphones, IoT devices, cars - essentially anything with a CPU) work and interact with each others (i.e., networks). I'll begin this section by talking about how computers and networks work and then discussing the risks. But don't worry - I won't be getting into any technical details. If you have questions, feel free to reach out to me.How Computers Work Systems & Networks Digital Risks
When I first learned how to program, I was surprised to find out that computers aren't magic boxes. Instead, you have to tell them exactly how to perform tasks, and they follow those instructions exactly (which can be good and also really frustrating when something goes wrong and you can't figure out why).
For example, let's pretend I'm a computer and you're trying to get me to put an apple in your hand (we'll assume the apple's already in my hand). If you say, "put the apple in my hand," I won't have any idea what you mean. If you tell me to raise my hand, I could raise it 1mm or high above my head and do so really fast or really slow (or anywhere in between). So, you'll have to tell me to raise my hand by 45°. Once I've done that, you'll need to tell me how to drop it (perhaps by raising each of my fingers).
Once you've successfully taught me how to put an apple in your hand, you can save those instructions as a program (we'll call it "Put the apple in my hand"). The next time you need an apple, you'll only need to tell me to "put the apple in my hand," and this time I'll do it since I have the instructions on how to perform that task.
If you want to try writing a simple program, Codecademy offers several, easy-to-follow tutorials (for beginners, I recommend Python).
The table below lists five common risks you may face (some even on a daily basis) and what you can do to mitigate those risks. A lot of other risks exist, but these are risks that you can directly control and mitigate.
Weak passwords mean an attacker can easily brute-force your passwords to gain access to your account. When data breaches occur that contain peoples' usernames and passwords, the problem is that those leaked passwords are used in future attacks. Password attacks account for variants, like cheese, ch33s3 and che3se123. All of those are easily guessed.
Cracking passwords boils down to statistical probabilities and time (and ideally encryption). This means that the stregth of your password is a combination of length and character set (letters, numbers, and symbols). Statistically, the avg. number of attempts needed to guess your password is (Character Set ^ length)/2. The amount of time to crack a password depends on how many guesses/second the attacker can make.
Guesses over the internet range in 100's/sec., while offline guesses can easily reach billions/sec. (yes, with a "b") One security expert was able to crack 350 billion guesses/sec. in 2012, and as of 2013 the NSA was purportedly capable of one trillion guesses/sec.
By clicking these links, you can see how quickly passwords can be guessed online/offline and lists of the 1 million most common passwords and several million other passwords. Who knows, maybe one of your current passwords is on one of those lists? (fyi, some of the lists will take awhile to load if you click to view them)
Phishing is where an attacker attempts to get sensitive information directly from you. This information is commonly usernames/passwords, credit card information, and other types of personal information.
These types of attacks come most commonly in the form of emails. The email can be personalized and look like it's from your bank (or any other organization) or include links to fake login portals, exactly mirroring the legitimate login portal (these are easy for an experienced attacker to setup).
To help determine if a site is fake or real, look at the URL* (the address in the bar at the top of your web browser). URL's look like site.name.com (or .org, .edu, etc.) The main name of the company will be at the end of the URL (name.com). Anything before the name is legitimate (like login.name.com). Let's use Facebook as an example. A legitimate Facebook URL will look like facebook.com or login.facebook.com (always ending in facebook.com). A fake address will look like facebook.xyz.com
*This isn't a fool-proof method, though. URL's can still be made to look just like the real address. To determine if it's real, 1) check if there's a green lock icon to the left (i.e., the site is in HTTPS), and/or 2) copy everything in the URL and paste it into a document. If you see things like "< script > " or odd-looking things in the URL, type in the address you normally visit and/or contact customer support.
In sum, if you get an email with a link to your bank or other sensitive online account, don't click on the link - enter in the URL you normally use and/or call customer service. Alternatively, you can inspect the URL to determine if the address is legitimate or a hoax.
|WiFi - Public||
Public WiFi leaves you open to WiFi Sniffing. This is where an attacker will gather all of the information on the network. In short, if you use your local coffee shop's WiFi, any- and every-thing you do online can be viewed. This includes background data sent from your smartphone (if it's connected). Unless your data is encrypted, this data is visible in plaintext.
Even if your data is encrypted, if the service you're using doesn't use strong enough encryption, attackers can still view your data. Powerful software like Wireshark are available for free and make WiFi sniffing possible. Other software lets attackers decrypt and view encrypted data.
Attackers can also conduct Man-in-the-Middle Attacks where the attacker can change information in-transit before/after you get/send it.
Another tactic attackers use is creating fake WiFi hotspots. These hotspots can be named similar to a legitimate one (e.g., Starbucks_Wifi vs Starbucks_WiFi) or even be the same name - there's absolutely nothing preventing them from doing that. (Each device broadcasting a WiFi hotspot can be named whatever the creator wants it to be. While you wouldn't want to name your WiFi the same as your neighbor's, an attacker may very well want to do so.)
|WiFi - Personal||If someone knows your WiFi password, they can conduct the same attacks as if your WiFi were a Public WiFi network. Even if you have a strong password, your WiFi is still vulnerable if you're using weak encryption (i.e., WEP and WPA).||
|Outdated Software||If your applications or operating system (e.g., Windows, Mac OS, Debian Linux, iOS and Android) are out-of-date, they're very likely susceptible to an attack that could let an attacker get full-access to your computer, even if they're on the other side of the world. Zero Days and other exploits exists in old software and are discovered as new programs/updates come out. This is why updating your computer is extremely important.||
If an attacker physically gains access to your device, it's game over. They can brute force your password or use exploits to bypass security measures, gaining access to your data.
This is why iPhone and Android logins only permit a certain number of login attempts - this slows the attacker down. If your password is strong enough, that may make cracking your password in a reasonable amount of time impossible. And if too many incorrect attempts are made, the phone's data will be erased (or your password deleted, leaving your data encrypted - for all intents and purposes, deleted), reasonably protecting your data (although if improperly erased, the data can still be extracted by experts).
This video and this video by Dr. Anthony Vance, a security researcher at Brigham Young University, discuss how you can (not) make your computer 100% secure.
Protecting your data if someone gets physical access to your device can be hard, but you can mitigate this risk by ensuring your devices are encrypted and use strong passwords.
A security system is only as strong as its weakest link, and humans are often that weakest link. Social Engineers abuse trust to manipulate people into revealing information or granting unauthorized access to accounts and physical locations. Social engineering can be surprisingly easy to do and, in conjunction with humans frequently being the weakest link in security frameworks, the best hackers will often use this as their primary "hacking" tool.
For instance, in this video, a reporter asked hackers to hack his life. Right in front of him, one of the hackers called his phone provider's customer service hotline and, while talking to a company representative, got full access to his account, added a new account, and had the password changed. This is not by any means uncommon or unusual.
One of the world's most expert social engineers and hackers, Kevin Mitnick, was at one point being hunted down by the FBI. He evaded them for quite some time by tapping the FBI's communication networks and finding out what they were going to do next to get him. His ability to do this involved a lot of social engineering.
If you want to learn more about social engineering and/or Mitnick's story, I recommend reading Ghost in the Wires (you can also see Mitnick doing a live social engineering attack at Defcon, a hacking convention).
The art of encryption arose as people felt the need to protect documents from prying eyes. These cryptographers discovered methods to encrypt their data, but eventually someone would figure out how to decrypt those documents and any document using that particular method. Figuring out how to unravel these methods of encryption could take centuries (e.g., the Caesar Cipher) or just a few years (e.g., the Nazi's Enigma machine).
Today, encryption is an integral part of life, and it keeps our data safe as it travels over the internet. Without encryption, services like online shopping or online banking would be impractical because anyone could see your credit card or banking info. (You can watch this video to learn more about how encryption works over the internet and this video for encryption in general.) It is also used to keep people from viewing data on your smartphone or laptop, so long as they don't have/can't guess the password. The latter use case has made it difficult for law enforcement to view data on criminals' devices (if they're encrypted). The most recent, high-profile case was Apple v. FBI. In this case, the FBI needed to gain access to a deceased terrorist's iPhone but was enable to because the phone was encrypted. The FBI calls this problem Going Dark. Attempting to solve this problem, law enforcement officials and politicans are called on Apple to create a backdoor that only law enforcement could use and no one else.
Cryptography, however, doesn't work this way. Modern cipers are mathematical algorithms, and if you create a way for one group to break an algorithm, you create it for every group (good and bad). In other words, creating a unique backdoor for law enforcement means making everyone's data insecure and open to the eavesdroppers, criminals, etc., and may cause more problems than it solves. (I won't get into the math, but if you want to learn more about it, you can watch this Khan Academy module or read The Code Book, which covers the history (and math) of encryption from Ancient Egypt to quantum cryptography.) A unique backdoor may be possible, but according to our current understanding of the laws of mathematics, this is mathematically impossible. As a result, if we create a backdoor for one person, we create a backdoor for everyone else.
It's possible that the NSA, which employees more mathematicians than any other organization on earth, has discovered a way to do this. But due to the nature of their work, they can't (and shouldn't) share their discoveries.
Instead, we need to find solutions to the problem. This requires first defining what the problem ultimately is and then brainstorming ways to solve that problem. That includes weighing consequences, intended and unintended, of those solutions.
Since at least 9/11, the United States and many other countries (both democratic and authoritarian) have been conducting mass surveillance programs, often in the name of national security. In the US, a White House report found that these programs have done little to prevent terrorist attacks (see here and here). What these programs do result in is a loss of privacy, a declared natural right by the UN. They have also been declared illegal by a European Union court.
The topic and scope of mass surveillance is so broad that it can't be fully discussed on this site. What I will do is talk about a few of the US government's capabilities, Edward Snowden and his decision making process, and consequences of these programs.
Led by the NSA in America, the US has the capability to essentially monitor any and every conversation you have, unless you take precautions to guard against it. If you've ever sent an email, visited a website, texted, made a phone call - the NSA more than likely has a record of that. The government can view anyone through webcams (even if you think they're off), and NSA employees have inappropriately spied on women.
The government has claimed that with phone calls, they only collect metadata (who/when you called, call duration, etc.) and not the actual conversation. Metadata, however, is actually extremely useful in law enforcement, and a lot of information, even personal, can be gleened from it.
In sum, if you have any interaction on a computer or are near one, there's a possibility that the NSA or another spy agency (like Britain's GCHQ) is either passively or actively monitoring your activities, with or without a warrant.
This video by John Oliver does a great job talking more about Mass Surveillance.
Knowing governments (and corporations) are surveilling their activities, people are adjusting their online activities. In other words, people are beginning to self-censor. The consequences of this include:
In 2010, security researchers came upon an odd piece of malware causing computers to crash and reboot. Throughout the course of their investigation, they would find it to be the first of its kind. Rather than stealing or recording data, the malware (known as Stuxnet) was designed to physically destroy a specific target - centrifuges at a nuclear reactor in Natanz, Iran. It is believed that the US and Israel created the malware.
A cyberweapon, like Stuxnet, is malware created by APT's to conduct espionage or physically attack, typically against a specific target. Since 2010, additional cyberweapons have been discovered all over the world. It's believed cyberweapons are in critical infrastructure systems in many nations. This has been backed by anonymous NSA employees reports that the United States controls all of Iran's civilizn and military infrastructure - dams, electric plants, nuclear reactors, telecom. networks, et. al. a Part of Ukraine's power grid was shut down in Dec. 2015 by a cyber attack and possibly once again a year later.
Cyberweapons are immensely dangerous for several reasons:
Privacy is a fundamental part of a free society. In order to have free expression of ideas and beliefs, individuals need to be able to confidentially discuss their thoughts and make mistakes. Imagine how you would behave if you knew every thought and action you make would end up on social media? Because corporations and governments are monitoring peoples' actions, individuals are adjusting their behaviors. (See above for more discussion on this.)
Not all consequences of less privacy are bad. When used appropriately by law enforcement, illegal activities are stopped. And in the corporate sphere, personalized services improve our lives. For example, Nest thermometer will learn your preferences to automatically adjust your thermostat, and Google's personal assistant will search through your email to identify flight information, later giving you updates on that flight. And marketers can direct ads at their target groups rather than at everyone.
That said, less privacy has negative consequences, and some people want to live very private lives. The next few paragraphs will talk about cookies (a key piece behind corporate surveillance) and privacy vs. security. Tools you can use to increase your privacy are in the Habits & Resources section.
Most public security debates focus on security vs. privacy. In reality, this isn't accurate. For example, let's say you want to protect your home from unwanted visitors. There are a few options available to you, such as:
Currently, laws exist that prohibit hacking (i.e, unauthorized access) and viewing personal data. In 2016, Privacy Shield, a new agreement between the USA and EU, went into effect and governs how governments and businesses of all sizes can handle personal data.
The Internet of Things (IoT) poses new opportunities and challenges. One of the challenges is that technology now has the capability to physically harm or kill. Because of this, and other problems no single person or business can solve, regulations will need to be implemented. For example, how do we manage security updates? On one hand, we want to make sure the bug is fixed asap, but on the other hand we need to make sure the update won't cause further problems (e.g., the role of the FDA with prescriptions). It's better that we make these regulations now than make rash decisions right after a disaster.
Your ability to lower your exposure to cyber risks depends on the habits and security mindset you develop. Nothing will ever keep you 100% safe - getting hacked or having your credit card information stolen is as likely as you getting physically ill. But like good health habits, you can keep yourself safe online by:
This site has been dedicated to helping you understand the first two bullet points. Listed below, in the resource section, are reputable security news sites/blogs and tools you can utilize.
That said, cyber risks are just one of the many types of fraud schemes. The fraud portion of this site discusses how to recognize fraud schemes in general, for both organizations and individuals, and has a resource section similar to the one below.
And once again, if you have any questions, please feel free to contact me.