The World of Cybersecurity

We live in a world saturated with technology. I've built this site to help individuals learn how to stay safe and become better-informed citizens (you can view my credentials here).

If you find something confusing or want a topic explained more, please feel free to contact me or visit the resource section.

Introduction

Technology has become ubiquitous in today's world and will be even more so in the years ahead. While it has made life better in so many ways, it has created new risks that range from petty annoyances to financial ruin. And it now has the potential to physically harm or even kill - through cyberweapons, the Internet of Things (IoT), and self-driving cars.

These aren't reasons to abandon technology, though. Ultimately, the impact of technology now and in the future comes down to how we choose use it (for instance, right now you could text a friend who's going through a hard time, or you could humiliate them on social media).

Unfortunately, there will always be people who misuse and abuse technology. Consequently, each of us needs to make decisions on a daily basis as to how much risk we want to expose ourselves to; and because some of these problems are too large for any one individual or company to handle, we'll need to be active and knowledgeable participants in public debates as new government regulations are likely to be enacted.

In order to appropriately assess risks, stay protected, and participate in debates as an informed citizen, each person needs to understand what risks are out there, why those risks exist, and cultivate a security mindset (at least at a basic level).

It should be noted, though, that a complication arises in cybersecurity with how we assess how secure we are. Just because we feel safe (e.g., when Chrome displays a green lock next to the URL) doesn't mean that we actually are safe. This is completely different from how humans have assessed risk throughout human history. Generally speaking, if we felt safe, then we were safe (e.g., we live in an area with low crime rates and no one's broken our windows, so we feel and are safe). This oddity with cybersecurity has given rise to security theater, which is where policies are enacted to increase security (and make us feel more secure) but don't actually achieve that goal. Regrettably, security theater is performed by many organizations, including the TSA.

Because of this reality, we can't just change a few settings and feel completely safe. My biggest hope is that this site will help you develop a security mindset. However, each person is comfortable with different levels of risk in their life, so I'm not going to say, "You must absolutely do this or else..." Rather, I'll talk about various risks, their consequences, and solutions to lessen those risks. You can then decide what you want to do. Will there be principles that I highly recommend you practice? Of course. But I also understand that you may be comfortable with more risk than I am. Ultimately, I want you to act knowing the landscape rather than making decisions blindly.

Listed below are topics that will help you be safer, better informed, and create a security mindset.

Note: Nothing and no one can ever be 100% secure. If somone or a product claims to offer 100% security, they're intentionally misleading you, incompetent, or maybe a bit of both. While forming good habits will lower your chances of becoming a victim, we live in a connected world, and your information can still be compromised if other entities don't secure their systems or protect your personal data.

What This Site is Not

This site does not cover every security topic, nor does it teach you how to hack. There are so many subjects and angles to approach security from that, even at an introductory level, an exhaustive discussion on this site isn't feasible.

TL;DR

Technology is everywhere and has brought opportunities and risks. This site helps you develop a security mindset so you can be safer online and an informed citizen. It does not teach you how to hack.



Risks

This section covers three main areas where risks occur (digital, physical and social engineering) and specific risks within each of those categories.

Gov't. & Privacy

This section discusses mass surveillance, encryption, cyberweapons, privacy, and government regulations.

Habits & Resources

This section talks about security as a mindset and provides resources to mitigate against risks, protect privacy, and lists trustworthy security news sites/where you can learn more.

Risks

Attackers will often use these three categories together in an attack. Click on the links below to learn more.

Attacker Types

There are four main types attackers. Each has its own skill level and targets:

Script Kiddies
These are lone hackers with little to no actual tech. skills. They use hacking tools developed by more capable hackers and follow tutorials posted online. Their attacks are often done to gain attention, experiment, or get a rush from a challenge; and these attacks are usually little more than a nuisance and pose little threat.
Hacktivists
Hacktivists are individuals or groups with a political agenda. Their skill level and resources vary. These groups aim to disseminate confidential information and/or take down websites. Examples include WikiLeaks and LulzSec.
Organized Crime
According to EY's cyber professionals, organized crime has moved off of the streets and into the cyber realm. Easily hiding their identity and whereabouts, the ability to defraud many people at once, and lower costs of operation are a few reasons they've made the move. These are the groups behind many of the spam and credit card frauds. They typically have more resources and often skills than hacktivists.
APT's
APT's, or Advanced Persistent Threats, are hacking groups sponsored/bought or owned by nation states. They're usually after information (government, intellectual property, etc.), but they have created and used cyberweapons. They represent the greatest threat because they are willing to wait and have more resources than any other type of attacker. They usually target businesses, utilities, and other governments. Being targeted on an individual level by an APT is unlikely. It would be like encountering a bear on a hike and then having it attack you (to get away, you could trip your friend, but if that bear wants to take you down, you're going down). That said, it is possible to defend against APT's, but it requires high levels of diligence.

Digital (Hacking)

In order to better understand digital risks, it's good to have a basic understanding of how computers (e.g., laptops/desktops, servers, smartphones, IoT devices, cars - essentially anything with a CPU) work and interact with each others (i.e., networks). I'll begin this section by talking about how computers and networks work and then discussing the risks. But don't worry - I won't be getting into any technical details. If you have questions, feel free to reach out to me.

How Computers Work Systems & Networks Digital Risks

How Computers Work

When I first learned how to program, I was surprised to find out that computers aren't magic boxes. Instead, you have to tell them exactly how to perform tasks, and they follow those instructions exactly (which can be good and also really frustrating when something goes wrong and you can't figure out why).

For example, let's pretend I'm a computer and you're trying to get me to put an apple in your hand (we'll assume the apple's already in my hand). If you say, "put the apple in my hand," I won't have any idea what you mean. If you tell me to raise my hand, I could raise it 1mm or high above my head and do so really fast or really slow (or anywhere in between). So, you'll have to tell me to raise my hand by 45°. Once I've done that, you'll need to tell me how to drop it (perhaps by raising each of my fingers).

Once you've successfully taught me how to put an apple in your hand, you can save those instructions as a program (we'll call it "Put the apple in my hand"). The next time you need an apple, you'll only need to tell me to "put the apple in my hand," and this time I'll do it since I have the instructions on how to perform that task.

If you want to try writing a simple program, Codecademy offers several, easy-to-follow tutorials (for beginners, I recommend Python).







Systems & Networks

Computers don't typically run a single program like putting an apple in someone's hand. Modern computers are typically running millions, and often billions, of instructions each second from a variety of programs. A lot of those programs are interacting with each other and create an operating system (e.g., Windows, Mac OS, and Debian Linux).

At a lower level, the physical hardware componenets (such as the CPU, RAM, hard drive, keyboard, and monitor) form a system that enables computers to run those millions or billions of instructions each second. This physical system then joins with the operating system, allowing computers to work the way they do.

Because computers are systems, troubleshooting problems when they arise can be difficult - when a program or piece of equipment isn't working, the problem may actually stem from another, misconfigured program or a failing piece of hardware. In this way, fixing a computer problem is akin to a doctor diagnosing an illness based on a set of symptoms - a headache may be caused by a cold, muscle tension in the neck, or a brain tumor (this is why being on tech. support can last so long; but just like doctors, there are competent and incompetent tech. professionals).

Most computers don't interact with just themselves - most computers send/retrieve information with other computers (i.e., networking). They do this through sets of rules called protocols. The most common protocol you use everyday is IP (Internet Protocol), and it dictates a lot of how the internet works. There are many other protocols (e.g., FTP, TCP/UDP, and SSH) that are used independent of or with IP, but I won't discuss those here. Using these protocols, computers owned by individuals and organizations connect with each other and form the internet.

This video and accompanying learning module from Khan Academy explain more about how computer networks and the internet function.

Digital Risks

The table below lists five common risks you may face (some even on a daily basis) and what you can do to mitigate those risks. A lot of other risks exist, but these are risks that you can directly control and mitigate.

Risk Description Solutions
Weak Passwords Weak passwords mean an attacker can easily brute-force your passwords to gain access to your account. When data breaches occur that contain peoples' usernames and passwords, the problem is that those leaked passwords are used in future attacks. Password attacks account for variants, like cheese, ch33s3 and che3se123. All of those are easily guessed.

Cracking passwords boils down to statistical probabilities and time (and ideally encryption). This means that the stregth of your password is a combination of length and character set (letters, numbers, and symbols). Statistically, the avg. number of attempts needed to guess your password is (Character Set ^ length)/2. The amount of time to crack a password depends on how many guesses/second the attacker can make.

Guesses over the internet range in 100's/sec., while offline guesses can easily reach billions/sec. (yes, with a "b") One security expert was able to crack 350 billion guesses/sec. in 2012, and as of 2013 the NSA was purportedly capable of one trillion guesses/sec.

By clicking these links, you can see how quickly passwords can be guessed online/offline and lists of the 1 million most common passwords and several million other passwords. Who knows, maybe one of your current passwords is on one of those lists? (fyi, some of the lists will take awhile to load if you click to view them)
Phishing Phishing is where an attacker attempts to get sensitive information directly from you. This information is commonly usernames/passwords, credit card information, and other types of personal information.

These types of attacks come most commonly in the form of emails. The email can be personalized and look like it's from your bank (or any other organization) or include links to fake login portals, exactly mirroring the legitimate login portal (these are easy for an experienced attacker to setup).

To help determine if a site is fake or real, look at the URL* (the address in the bar at the top of your web browser). URL's look like site.name.com (or .org, .edu, etc.) The main name of the company will be at the end of the URL (name.com). Anything before the name is legitimate (like login.name.com). Let's use Facebook as an example. A legitimate Facebook URL will look like facebook.com or login.facebook.com (always ending in facebook.com). A fake address will look like facebook.xyz.com

*This isn't a fool-proof method, though. URL's can still be made to look just like the real address. To determine if it's real, 1) check if there's a green lock icon to the left (i.e., the site is in HTTPS), and/or 2) copy everything in the URL and paste it into a document. If you see things like "< script > " or odd-looking things in the URL, type in the address you normally visit and/or contact customer support.

In sum, if you get an email with a link to your bank or other sensitive online account, don't click on the link - enter in the URL you normally use and/or call customer service. Alternatively, you can inspect the URL to determine if the address is legitimate or a hoax.
  • Don't click links in emails - enter in the address manually
  • Before entering passwords or other sensitive information online, make sure the URL is correct.
  • For website that require logging in, make sure you're using HTTPS
WiFi - Public Public WiFi leaves you open to WiFi Sniffing. This is where an attacker will gather all of the information on the network. In short, if you use your local coffee shop's WiFi, any- and every-thing you do online can be viewed. This includes background data sent from your smartphone (if it's connected). Unless your data is encrypted, this data is visible in plaintext.

Even if your data is encrypted, if the service you're using doesn't use strong enough encryption, attackers can still view your data. Powerful software like Wireshark are available for free and make WiFi sniffing possible. Other software lets attackers decrypt and view encrypted data.

Attackers can also conduct Man-in-the-Middle Attacks where the attacker can change information in-transit before/after you get/send it.

Another tactic attackers use is creating fake WiFi hotspots. These hotspots can be named similar to a legitimate one (e.g., Starbucks_Wifi vs Starbucks_WiFi) or even be the same name - there's absolutely nothing preventing them from doing that. (Each device broadcasting a WiFi hotspot can be named whatever the creator wants it to be. While you wouldn't want to name your WiFi the same as your neighbor's, an attacker may very well want to do so.)
  • Use a VPN (a way to securely view over the internet)
  • Visit websites in HTTPS (HTTPS Everywhere is a great extension that automatically forces this to happen).
    Most browsers will display a green lock in the URL/address bar when HTTPS is in use
  • Double check WiFi hotspot names before connecting, and always use HTTPS in public
WiFi - Personal If someone knows your WiFi password, they can conduct the same attacks as if your WiFi were a Public WiFi network. Even if you have a strong password, your WiFi is still vulnerable if you're using weak encryption (i.e., WEP and WPA).
  • Use a strong WiFi password
  • Use WPA2 encryption on your router
Outdated Software If your applications or operating system (e.g., Windows, Mac OS, Debian Linux, iOS and Android) are out-of-date, they're very likely susceptible to an attack that could let an attacker get full-access to your computer, even if they're on the other side of the world. Zero Days and other exploits exists in old software and are discovered as new programs/updates come out. This is why updating your computer is extremely important.
  • Update your applications, programs and operating system when updates come out

Physical

If an attacker physically gains access to your device, it's game over. They can brute force your password or use exploits to bypass security measures, gaining access to your data.

This is why iPhone and Android logins only permit a certain number of login attempts - this slows the attacker down. If your password is strong enough, that may make cracking your password in a reasonable amount of time impossible. And if too many incorrect attempts are made, the phone's data will be erased (or your password deleted, leaving your data encrypted - for all intents and purposes, deleted), reasonably protecting your data (although if improperly erased, the data can still be extracted by experts).

This video and this video by Dr. Anthony Vance, a security researcher at Brigham Young University, discuss how you can (not) make your computer 100% secure.

Protecting your data if someone gets physical access to your device can be hard, but you can mitigate this risk by ensuring your devices are encrypted and use strong passwords.

Social Engineering

A security system is only as strong as its weakest link, and humans are often that weakest link. Social Engineers abuse trust to manipulate people into revealing information or granting unauthorized access to accounts and physical locations. Social engineering can be surprisingly easy to do and, in conjunction with humans frequently being the weakest link in security frameworks, the best hackers will often use this as their primary "hacking" tool.

For instance, in this video, a reporter asked hackers to hack his life. Right in front of him, one of the hackers called his phone provider's customer service hotline and, while talking to a company representative, got full access to his account, added a new account, and had the password changed. This is not by any means uncommon or unusual.

One of the world's most expert social engineers and hackers, Kevin Mitnick, was at one point being hunted down by the FBI. He evaded them for quite some time by tapping the FBI's communication networks and finding out what they were going to do next to get him. His ability to do this involved a lot of social engineering.

If you want to learn more about social engineering and/or Mitnick's story, I recommend reading Ghost in the Wires (you can also see Mitnick doing a live social engineering attack at Defcon, a hacking convention).


Government & Privacy

This section covers cybersecurity issues frequently highlighted in the news and of national importance.

Encryption Mass Surveillance Cyberweapons Privacy Regulations

Encryption

The art of encryption arose as people felt the need to protect documents from prying eyes. These cryptographers discovered methods to encrypt their data, but eventually someone would figure out how to decrypt those documents and any document using that particular method. Figuring out how to unravel these methods of encryption could take centuries (e.g., the Caesar Cipher) or just a few years (e.g., the Nazi's Enigma machine).

Today, encryption is an integral part of life, and it keeps our data safe as it travels over the internet. Without encryption, services like online shopping or online banking would be impractical because anyone could see your credit card or banking info. (You can watch this video to learn more about how encryption works over the internet and this video for encryption in general.) It is also used to keep people from viewing data on your smartphone or laptop, so long as they don't have/can't guess the password. The latter use case has made it difficult for law enforcement to view data on criminals' devices (if they're encrypted). The most recent, high-profile case was Apple v. FBI. In this case, the FBI needed to gain access to a deceased terrorist's iPhone but was enable to because the phone was encrypted. The FBI calls this problem Going Dark. Attempting to solve this problem, law enforcement officials and politicans are called on Apple to create a backdoor that only law enforcement could use and no one else.

Cryptography, however, doesn't work this way. Modern cipers are mathematical algorithms, and if you create a way for one group to break an algorithm, you create it for every group (good and bad). In other words, creating a unique backdoor for law enforcement means making everyone's data insecure and open to the eavesdroppers, criminals, etc., and may cause more problems than it solves. (I won't get into the math, but if you want to learn more about it, you can watch this Khan Academy module or read The Code Book, which covers the history (and math) of encryption from Ancient Egypt to quantum cryptography.) A unique backdoor may be possible, but according to our current understanding of the laws of mathematics, this is mathematically impossible. As a result, if we create a backdoor for one person, we create a backdoor for everyone else.

It's possible that the NSA, which employees more mathematicians than any other organization on earth, has discovered a way to do this. But due to the nature of their work, they can't (and shouldn't) share their discoveries.

Instead, we need to find solutions to the problem. This requires first defining what the problem ultimately is and then brainstorming ways to solve that problem. That includes weighing consequences, intended and unintended, of those solutions.

Mass Surveillance

Since at least 9/11, the United States and many other countries (both democratic and authoritarian) have been conducting mass surveillance programs, often in the name of national security. In the US, a White House report found that these programs have done little to prevent terrorist attacks (see here and here). What these programs do result in is a loss of privacy, a declared natural right by the UN. They have also been declared illegal by a European Union court.

The topic and scope of mass surveillance is so broad that it can't be fully discussed on this site. What I will do is talk about a few of the US government's capabilities, Edward Snowden and his decision making process, and consequences of these programs.

CAPABILITIES | SNOWDEN | CONSEQUENCES

CAPABILITIES

Led by the NSA in America, the US has the capability to essentially monitor any and every conversation you have, unless you take precautions to guard against it. If you've ever sent an email, visited a website, texted, made a phone call - the NSA more than likely has a record of that. The government can view anyone through webcams (even if you think they're off), and NSA employees have inappropriately spied on women.

The government has claimed that with phone calls, they only collect metadata (who/when you called, call duration, etc.) and not the actual conversation. Metadata, however, is actually extremely useful in law enforcement, and a lot of information, even personal, can be gleened from it.

In sum, if you have any interaction on a computer or are near one, there's a possibility that the NSA or another spy agency (like Britain's GCHQ) is either passively or actively monitoring your activities, with or without a warrant.

This video by John Oliver does a great job talking more about Mass Surveillance.

SNOWDEN


Long before Edward Snowden leaked NSA documents, other government workers raised concerns, internally and through established government procedures. They were aggressively attacked. This pattern of behavior against those raising concerns happened repeatedly, especially in the Obama administration.

Because of this aggression against any dissent, Snowden felt compelled to disclose secret NSA documents to journalists instead of talking with his higher-ups. He did not, however, leak CIA documents he previously had access to out fear doing so would cause a lot of harm.

The documentary CitizenFour talks more about his story and how the documents were initially published (reporters still aren't finished, and new reports come out regularly from them). You can watch it on:
To read about the documents he leaked, visit these sites:

CONSEQUENCES

Knowing governments (and corporations) are surveilling their activities, people are adjusting their online activities. In other words, people are beginning to self-censor. The consequences of this include:

  • Restrained or false expression of opinion
  • Reduced creativity
  • Easily stifled dissent by governments

In additiond the United States, Great Britain, and several other nations have set up their surveillance programs in such a way that democratic societies could be turned into full-fledged surveillance states with the flip of a switch. And because we're gathering data on every single activity of every single person, if a leader or entire nation one day decides that they don't like a certain demographic or anyone who's ever searched for, say, paintings of boats, they can find out who that person is. So if you searched even once for a boat painting, even if you weren't actually interested in it, you'd be profiled and whatever actions the leader/nation deemed appropriate would be taken against you.

Technology has given us unprecedented ways to stop and combat crime, from criminal databases to real-time location monitoring. These new technologies, however well-intentioned, do have consequences. As a society, we need to take these into consideration and ask ourselves if these mass surveillance programs, which aren't even effective, are worth their impact on society.

Sources

Cyberweapons

In 2010, security researchers came upon an odd piece of malware causing computers to crash and reboot. Throughout the course of their investigation, they would find it to be the first of its kind. Rather than stealing or recording data, the malware (known as Stuxnet) was designed to physically destroy a specific target - centrifuges at a nuclear reactor in Natanz, Iran. It is believed that the US and Israel created the malware.

A cyberweapon, like Stuxnet, is malware created by APT's to conduct espionage or physically attack, typically against a specific target. Since 2010, additional cyberweapons have been discovered all over the world. It's believed cyberweapons are in critical infrastructure systems in many nations. This has been backed by anonymous NSA employees reports that the United States controls all of Iran's civilizn and military infrastructure - dams, electric plants, nuclear reactors, telecom. networks, et. al. a Part of Ukraine's power grid was shut down in Dec. 2015 by a cyber attack and possibly once again a year later.

Cyberweapons are immensely dangerous for several reasons:

  1. They can destroy critical infrastructure, meaning millions of people could be left without electricity, water, and other necessities for months or years
  2. Attribution is difficult to determine. False footprints can be easily left behind.
  3. Once a piece of malware is publicly known, anyone in the world can use it - APT's to security researchers to individual, rogue hackers.
To learn more about cyberweapons, see:

Privacy

Privacy is a fundamental part of a free society. In order to have free expression of ideas and beliefs, individuals need to be able to confidentially discuss their thoughts and make mistakes. Imagine how you would behave if you knew every thought and action you make would end up on social media? Because corporations and governments are monitoring peoples' actions, individuals are adjusting their behaviors. (See above for more discussion on this.)

Not all consequences of less privacy are bad. When used appropriately by law enforcement, illegal activities are stopped. And in the corporate sphere, personalized services improve our lives. For example, Nest thermometer will learn your preferences to automatically adjust your thermostat, and Google's personal assistant will search through your email to identify flight information, later giving you updates on that flight. And marketers can direct ads at their target groups rather than at everyone.

That said, less privacy has negative consequences, and some people want to live very private lives. The next few paragraphs will talk about cookies (a key piece behind corporate surveillance) and privacy vs. security. Tools you can use to increase your privacy are in the Habits & Resources section.

COOKIES | PRIVACY VS. SECURITY | TOOLS

Cookies

The internet was never intended to work the way it does today. Because of this, when you log into a site, a website's server can't automatically remember who you are. To fix this, cookies are used. Cookies keep track of who you are, and that lets you stay logged into Facebook, Gmail, etc.

Cookies are also used to track what you do all over the internet, even when you're not logged into a service. This is how Facebook shows you ads for shoes after you've been looking up shoes.

There are services made by reputable organizations that prevent cookies from tracking you (see the tools section for these).

Privacy vs. Security (it's not)

Most public security debates focus on security vs. privacy. In reality, this isn't accurate. For example, let's say you want to protect your home from unwanted visitors. There are a few options available to you, such as:

  • Setting up (facial-recognition) cameras to track who comes to your house
  • Have a sign-in book
  • Live like Ron Swanson
  • Install locks
The first two require someone giving up their identify; the third, not using technology; and the last one doesn't require people giving up personal information. In terms of effectiveness, the locks are the best option to keep people out of your house, and that doesn't affect privacy in any way (except yours, which is increased).

Options like the lock exist in the cybersecurity realm. We don't have to give up our privacy to get more security. In fact, a lot of current security measures don't actually make us more secure, costing a lot of money and unnecessarily reducing our privacy (prime examples - mass surveillance and the TSA). This is known in the security field as security theater and was discussed in the introduction.

Regulations

Currently, laws exist that prohibit hacking (i.e, unauthorized access) and viewing personal data. In 2016, Privacy Shield, a new agreement between the USA and EU, went into effect and governs how governments and businesses of all sizes can handle personal data.

The Internet of Things (IoT) poses new opportunities and challenges. One of the challenges is that technology now has the capability to physically harm or kill. Because of this, and other problems no single person or business can solve, regulations will need to be implemented. For example, how do we manage security updates? On one hand, we want to make sure the bug is fixed asap, but on the other hand we need to make sure the update won't cause further problems (e.g., the role of the FDA with prescriptions). It's better that we make these regulations now than make rash decisions right after a disaster.

Habits & Resources

Habits

Your ability to lower your exposure to cyber risks depends on the habits and security mindset you develop. Nothing will ever keep you 100% safe - getting hacked or having your credit card information stolen is as likely as you getting physically ill. But like good health habits, you can keep yourself safe online by:

This site has been dedicated to helping you understand the first two bullet points. Listed below, in the resource section, are reputable security news sites/blogs and tools you can utilize.

That said, cyber risks are just one of the many types of fraud schemes. The fraud portion of this site discusses how to recognize fraud schemes in general, for both organizations and individuals, and has a resource section similar to the one below.

And once again, if you have any questions, please feel free to contact me.

Resources & Tools

This section lists resources and tools you can use to become safer, stay informed, and learn more. Many of these resources have been cited on the rest of the site.


Browser Extensions



Software & Apps.



Tutorials

Contact Me

Feel free to contact me through one of my profiles listed below.
I'd love to hear from you!