A CLEAN START
[We are pleased to introduce a new column for To The Point, CyberTex by TTPer Tex Manchester. As one of the world’s top experts in cybersecurity, Tex will informing you on the real secrets of protecting your online privacy. This is an exclusive for TTPers only. He says he honored to join us. We are honored to have you, Tex! –JW]
Fellow TTP’ers, I am honored and humbled to join Dr. Wheeler and all of the esteemed columnists here in this “Oasis for Rational Conservatives.” While you’ll see me on the Forum discussing politics, this and future columns will take things in a different direction:
- How can the layman protect his or herself and their families from the cybersecurity threats facing them each day?
- With the flood of “advice” online, how can people educate themselves on what these recommendations actually defend you against?
- And more importantly, what do they not do?
Dr. Wheeler asked me to begin this column based on a series of conversations on cybersecurity that were eye-opening to him as a user of technology. So, let’s begin with the first of those topics based on a very good question he asked while we were troubleshooting something on his phone:
“If I use hard-to-guess, different passwords across my email and other accounts am I protected from hackers?”
Like a Ronald Reagan famously said, “…perhaps there is a simple answer – not an easy answer – but simple.”
That sums up the world of cybersecurity perfectly and is a great place to begin to answer this common question.
The hard truth is:
No matter what other countermeasures have been taken, everyone from the average individual to the most highly-secured, classified government agency are both equally at risk if:
- The “keyboard” (device, computer, phone, etc.) isn’t clean
- The keyboard isn’t kept clean
This is a universal principle that is articulated and understood in many other areas of our lives but remains unknown to many when it comes to the computers and other devices we use. For the first condition, think of the foundation of your home. All other components of your house are dependent upon the strength and integrity of the foundation. If water, mold, termites, etc. permeate your foundation, it doesn’t really matter how beautifully constructed or how secure the rest of the house is.
In the end this “system” will fail.
Taking this further, think of the U.S. Embassy in Moscow on which we spent billions making into supposedly one of the most secured facilities in the world; only to discover the insides of the walls were embedded full of Russian bugs to spy on us.
For the second condition, think of a computer system as an operating room. It doesn’t matter how sterile the operating room has been prepared if the physician is allowed to enter the room without being validated as equally clean themselves.
“Ok, Tex, but how does all this apply to me just wanting to check my stocks on my phone?”
Simple, but not easy: If your phone, computer, or tablet has been compromised at the Operating System layer, all the strong passwords, Multi-factor authentication (such as your bank sending you a text with a one-time code), encryption, and other countermeasures are totally useless.
I’m willing to bet this hasn’t been shared with you by your average Geek Squad tech or Apple Genius, but that’s the hard, “red-pilled” truth.
In the world of computing, an Operating System (or OS) is the software that sits in between the hardware and the applications you want to run. Common examples are Apple’s iOS and MacOS, Microsoft Windows, Linux, Google’s Android, and countless others. No matter the marketing, ALL are equally vulnerable.
(Side note: It’s always fascinating to me to hear people try and say that OS A is somehow magically more secure than OS B because OS A “has fewer ‘viruses’”. Future readers of this column will learn why this is a dangerous and false sense of security, as viruses are only one of many threats. Many a CISO has made the same mistake and watched their stock drop by half, but I digress…)
The OS is the foundation of your computing world, so if an attacker has compromised it they are fully capable of:
- Doing anything you can do on that device
- Reading or changing anything you have on that device, and anything you can access from that device (e.g. your email, your bank, DropBox, iCloud, OneDrive, etc.)
- Stealing your credentials to any service used on that device
Using strong passwords are important, but guessing passwords is usually not what hackers actually do today. They steal your “credentials”, which are more than just your passwords. Credentials are the way in which your passwords are protected by your Operating System so that when you need to authenticate you avoid sending those passwords “in the clear” (i.e. readable vs. scrambled) from your system.
For example, if your password is “Lollipop Oh Lollipop!” it is scrambled (or “hashed”) based on any number of standard mathematical algorithms into something like this:
The idea being that to reverse that long string back into the original plain text of “Lollipop Oh Lollipop!” is meant to take so long as to be impractical. So, what’s a hacker to do if they can’t:
- Easily guess the password
- Easily decrypt the password
Also simple: They steal the scrambled version and “replay” it like a tape recording used to defeat a voice analyzer in the movies.
“But Tex: What if that scrambled thing doesn’t work? What if I use a text code like by bank tells me is really secure?”
Also good questions, but remember the core concept that anything you can do on your device, the attacker can do too. So, they run a special kind of malware on your system called a “keylogger.” This will steal the plain-text version (e.g. “Lollipop Oh Lollipop!”) by recording everything you type.
You might think this is something also out of the movies, but this is how a lot of malware that attacks everyday consumers functions (they often don’t have the skills or think this will keep them under the radar more than the kinds of exploits needed to grab the password hash).
“Well what about using that one-time code, Tex?”
Using any method of Multifactor Authentication (or MFA) is a good thing, if the one-time code is sent to a device other than the one you’re presently using, such as a text sent to your phone while accessing your banking while on your tablet or PC.
It does prevent anyone that has stolen your password, be that from your device or from your bank or email account, from logging on from any other device in the world. It does not stop them from accessing anything you can access from that compromised device; a fact often not well-understood. So, if your tablet or PC is compromised, enabling MFA hasn’t stopped the attacker.
Not. One. Bit.
“Well now that you’ve scared me to death, what do I do, Tex?”
Again the answer is simple, but not easy:
1. No matter what device you are using, keep its Operating System and all of your applications up-to-date. Oftentimes computer “experts” will advise you to “stay one version behind” in a well-meaning effort to avoid the latest software from breaking something. Anyone that’s been burned by an Apple update or Windows patch can empathize, but the risk of something that “might” break vs. the real-world certainty that not updating leaves you open to compromise is very low. It ain’t 1995 anymore, so enable automatic updates on your Windows 10 PC (because running anything earlier than 10 is online suicide), Mac, phone, etc. Whether you think (or have been told) it’s some grand conspiracy of forced obsolescence or not, a system designed five or ten years ago cannot defend against treats thought of a few months ago.
2. Any device on which you want to do anything important, like shopping, banking or filing taxes, should not be a device on which you visit any web sites other than those (and TTP). The short of it is the more web sites you visit, even legitimate ones like Forbes, the greater chance you have of your device being compromised. For example: https://www.newsy.com/stories/forbes-thought-of-the-day-used-to-hack-readers/
3. If you do use this device for email, unless you are in the 10% of people that don’t click any links in email (much less on links in fake, phishing emails) or open any attachments (even from people you think you know) perhaps reconsider this practice and do so from a different system than what you use for these critical activities. (A future CyberTex column will delve into email security and how to join that 10%.)
4. Only use software from trusted sources. On Apple’s iOS, every application must be downloaded from their store, which is a good thing as they do an extensive job in scanning all code posted there for malware. The same is true on Google’s Android if you stick with Google Play. However, on Android it is possible to load applications from other sources, just like on a Windows PC, Mac, and Linux.
Windows PC, Mac, and Linux are designed for maximum flexibility. A future column will cover more details, but the move to Windows Store and Mac Store will greatly help the layman on these platforms run software that is much more likely to be clean.
In the meantime, only load software from a vendor’s website. Never, ever download software (most notoriously “updates” for “drivers”) from any website that didn’t produce the software or isn’t your hardware vendor’s site. Never click on any prompt in your browser telling you that you need an “update” to visit the site, your system is insecure, etc. They are all, without exception, scams to install malware and compromise your computer.
5. Notice I haven’t mentioned anti-virus yet. Why? Because it is rendered moot by the previous 4 items in this list. Anti-virus is today at best about 30% effective at stopping malware. It’s near-0% in stopping a determined attacker and also near-0% if not kept up-to-date daily. (Again, a future column will go into why Antivirus is like charging machine guns with cavalry in WWI.)
To conclude, all of the advice you’ve probably received on not using “insecure Wi-Fi”, simple or shared passwords, etc. are still valid as they do mitigate very specific threats. However, all of these best practices are academic and ineffective if the foundation (the operating system) of your device has been hacked.
Until next time:
Tex Manchester is TTP’s world expert on cybersecurity. He travels the world advising Fortune 500 security executives and professionals on how not to be in the news. However, he is even more passionate about helping everyday people protect themselves in today’s connected world. Especially TTPers.