Virtually everything we do today involves our smartphone, laptop, home computer, and increasingly voice operated devices like the Amazon Alexa, Google Assistant or Apple Siri. Added to the mix are devices in your home, commonly referred to as the internet of things (IoT), like Ring doorbells, Nest cams, and smart locks. While all of these devices keep us connected to one another, streamline our lives, and can make us more physically secure, they also pose threats. These devices make us more vulnerable to identity theft, monetary loss, and potentially unwanted government and corporate intrusion on our privacy.
As a private investigator, my job is all about collecting information. As such, there is an intersection of data collection and cyber security that I interact with on a daily basis. Because of the crossover, clients are engaging me with questions about cyber security and how to protect themselves. This quick and easy guide is a brief discussion of the risks and what you can do to strengthen your cyber defenses.
To be honest, security is inconvenient. There is no other way to describe it. We must all make the decision about how much security we are willing to deal with despite the inconvenience it can become. In all instances though, just a little bit of security can actually go a long way. The best rule of thumb is that it is better to have it, even in small doses, than to leave your entire life open to potential threats.
First it was passcodes, then thumbprints, and now Face ID to log into your smartphone. The first rule of security is to have some sort of lock enabled on your phone. Most of us have our entire lives on our smartphones. Your pictures, files, social media and bank account information are all conveniently available in one small device, which fits easily in the pocket of your pants.
While thumbprints and Face ID have become the norm, they might not be the most secure. Think about it, someone could forcibly put your thumb on the sensor, or put the phone up to your face to unlock it against your will.
The most secure locking method for the foreseeable future is a passcode. Most smartphones allow passcodes regardless of thumbprint or Face ID access. Any kind of passcode is better than nothing, even if the passcode is 4 digits. Most smartphones however, require a minimum of 6 digits for the passcode. The best passcode is going to be one where you combine numbers and letters that exceed 6 digits. I will talk more about secure password combinations later. Remember, any login method on your smartphone is better than no security at all.
If you want to delve into the world of easy, encrypted communications you have two good apps to pick from. The most widely used is called WhatsApp and is owned by Facebook. WhatsApp promises end-to-end encrypted voice and texting as well as a host of other filesharing and group text features. It is easy to use and prevents casual eavesdroppers.
A step-up from there is an app called Signal. While not as widely used, this app was recently approved by the US Congress for secure communications between elected officials and their staff. Signal claims to have extremely strong encryption for both voice and text.
Always remember, nothing we do online is un-hackable or completely secure. Anyone with enough time and money can break encryption algorithms. The good news is, for most of us, no one is trying to specifically target and hack us. Meaning, using these apps is about as good as it gets for secure communications.
While Facebook claims it can’t read what you are sending or saying on WhatsApp, I would always err on the side of caution and act as though they can read what you write or hear what you say. Signal on the other hand appears to be more secure and does not have a parent company attached to it that is trying to sell advertisements (think Facebook).
There are some rules you always want to follow when using your laptops or home computers. First, have a login password. Don’t leave your computer open to just anyone. Second, make sure your operating system is always up-to-date. The two dominant operating systems, iOS from Apple and Windows from Microsoft, have updates set to automatic. Be sure to keep it that way as both companies spend a considerable amount of time and money ensuring their products are as secure as possible. Third, and along those same lines, be sure you are using the most up-to-date operating system. Apple and Microsoft pour all of their attention into the latest and greatest operating systems, meaning the security will be as good as it can get. Fourth, get a password manager discussed below.
Passwords are the bane of our existence and one of the weakest links in our security set-up. Most of us have one, maybe two, passwords we interchange between websites. Here is an example of the top 25 passwords of 2017 from Fortune.com, just to illustrate how poor we are at creating passwords:
Using one or two passwords puts us in a precarious position when, for example, our bank gets hacked and that password is compromised. If you only have one password for all of your websites, the hackers could easily hit all of your known websites and enter at will. It also means when you get the notice your password was compromised, you now have to change it on the 50 other websites you are using.
A password manager solves those problems. The two companies I recommend are Lastpass and 1Password. Here is how they work. You are asked to create a master password. It can be anything you want other than the 25 above -- birth dates, kids’ names, or anything else familiar. I use the following scheme when I am thinking of a difficult master password. Use a sentence you are familiar with. We will use this one:
“The quick brown fox jumped over the lazy dog”
Your password would be a combination of the first letters of each word. In this case it would be:
If you wanted to add a number of significance, punctuation or an uppercase letter you could do that as well. If it were me, I would add these characters to the password like this:
That’s a pretty good unique password that is easy to remember and virtually impossible for someone to guess.
When using either Lastpass or 1Password you first enter your master password. Each company then has what is called a password manager where you enter in all of the websites you use which require a password. During this process the password manager assigns a new, strong and unique password for each website you use. The password managers can create random passwords with uppercase and lowercase letters, numbers and symbols from one to 100 characters long. Once you have assigned your websites a new password, the password managers remember each unique password and automatically enter your username and password when you visit the website.
Now you only need to remember your one master password and the manger does the rest. It is one of the few positive instances of blending security and convenience.
If a password manager is a great way to achieve more cyber security, using two-factor authentication (2FA) seals the deal. 2FA works like this: when you log into your account using your login name and password, the account sends a unique code, typically to your cell phone, which you must enter before gaining entry to your website.
2FA is your last line of defense and a very good one at that. Should a hacker compromise your unique password, they still would not gain access unless they had your cell phone and could receive the 2FA unique code.
2FA is not perfect though. Recent studies suggest cell phones can be compromised, meaning a savvy hacker might be able to clone your phone and receive your 2FA code. While still extremely rare, companies like Google have come up with a solution. Google has the Google Authenticator App that you link with supporting websites. The app has what I call, “rolling 2FA codes.” These codes are constantly changing every 30 seconds to a minute. So rather than receiving a 2FA code on your cell phone, you simply enter the “rolling 2FA code” contained in the Google Authenticator app after you login.
Conceptualizing these things can be confusing in writing. If you are interested in this, the best thing you can do is download the app and start using it. The learning curve is not difficult, and you will figure it out very quickly.
More and more items in our homes are getting connected to the Internet. Commonly referred to as the “Internet of Things” (IoT) they include anything connected to the Internet like doorbells, security cameras, lights, alarm systems, door locks, televisions and even certain refrigerators. Increasingly, security researchers are exposing more and more security holes in these devices. It is unnerving to say the least that your security camera or door locks could be hacked and used to confirm you are not home and then open your doors on command.
So what can you do to protect yourself? It depends, as there are pros and cons to each of these devices. If you are the slightest bit uncomfortable about someone peeking into your home without your knowledge, it is best to limit the number of connected devices you have. If you are a techie and need the latest and greatest, make sure you are doing two things.
First, purchase IoTs from only reputable, well-known companies and then ensure your IoT software is up-to-date. Companies producing IoTs, like Ring, Amazon, FLIR, Samsung and Nest, keep their products up-to-date with the latest security features. Fly-by-night or overseas companies, generally speaking, will not spend the time, effort or money to ensure their products are secure in the long run and should be avoided.
Second, whatever passwords are provided by the IoT manufacturer, change them, and also make sure the login name is not “admin” which often times is the default. Most, if not all, of the major manufacturers will let you change those items.
Last on this list is the new wave of voice-activated assistants. Alexa from Amazon, Google Assistant from Google, and Siri from Apple have infiltrated our homes and our pockets. Security researchers have raised suspicions that each manufacturer is constantly listening to your private conversations in an effort to sell you more stuff. The manufacturers all claim each device is only listening for the keywords, like “Hey Google,” “Alexa” or “Hey Siri” before they enable full length listening. They also claim the devices are only recording what comes after the keywords.
For now, we have to take the manufacturers’ word for it and hope they are not recording everything we say. But there are other considerations to take into account. If Amazon is listening to how many times I say, “I like Dawn dishwashing detergent” so they can send me an ad offer for Dawn, that’s only a minor problem. It is a serious problem, however, if Amazon records a private conversation that the government is interested in obtaining.
Sound like conspiracy theory? Think again. Just last year prosecutors in Arkansas asked for a defendant’s Amazon Alexa recordings in his murder case. Amazon pushed back against the request citing 1st Amendment (the right to free speech) issues, but it has to make you wonder. Was it really free speech or did Amazon not want to reveal how much they are actually recording and retaining of your private conversations? It doesn’t take much effort to see the slippery slope this could become in even the most trivial of matters where the government is involved. Is that a risk you are willing to take?
The Internet is here to stay and will always be a part of our lives. Security is inconvenient but is something we must all contend with. Implementing these simple strategies will make you just enough of a hard-target, so most hackers will move on to someone less secure. It will also give you peace of mind and allow you to enjoy the conveniences of a connected life here in the 21st century.