I used to begin my Computer Security class at Ulster University by telling students that, if they wanted to be secure online, then do not buy a computing device. If they must buy one, don’t turn it on, and if they did turn it on, then only use it for 10 minutes. I was being facetious of course but there was some truth in it. Of course, if you have no electronic device then you cannot be hacked and if you only use it for very short periods and have less of an 'online footprint' you are less likely to encounter a virus or malicious payload. However, like many security recommendations, it is simply not pragmatic.
I do, however, stress to students that they should only take my recommendations on security issues and safe practice to be correct on the day that I voice them, as I am only too aware of the changeable landscape of modern computer security.
Take a standard security recommendation from the last few years, which was to enable two-factor authentication on accounts. Two-factor authentication is an extra security layer which can be implemented in a number of ways, built on components of something the user knows, something the user possesses, or something that is inseparable from the user. For example, a common method is to use a mobile phone for authentication, using a fact or password that only the individual user knows, plus a one-time-valid dynamic passcode consisting of digits sent to their mobile device by SMS.
In recent weeks, however, we are being told to stop relying on this 'trusted method' due its reliance on the SMS channel. It turns out that hackers have demonstrated attacks on the mobile phone networks by exploiting the underlying SS7 signalling protocol to spoof a change to a user’s phone number, intercepting their calls or text messages. In fairness, the SMS attack does involve targeting an individual and a high level of skill in addition to hardware. The problem is that there is always someone out there making the hardware cheaper and the software easier to use, so we can expect to see lesser skilled attackers exploiting SMS attacks. New recommendations are to use tools like Google Authenticator or an RSA token, which can also prove possession without a communication that can be as easily eavesdropped upon.
Of course, the most effective way for hackers to gain a foothold on people’s computers and install keyboard loggers, viruses or ransomware is to get people to click on links which lead to their nasty files, either by placing or more commonly, by sending people 'phishing emails'. The first line of defence to stop these attacks, apart from firewalls, anti-virus software, and intrusion detection systems, is to simply educate people about the dangers of clicking on links. Sadly, only a fraction will listen and it generally takes people to make a mistake before they learn, when it is already too late.
There is a great modern initiative where security teams send phishing emails to their employees which, when activated, simply lead them to a site telling them about their mistake and educating them on the dangers of what they did. It reminded me of the super advice from a leading researcher called Brian Krebs who warns (1) If you didn’t go looking for it, don’t install it. (2) If you installed it, update it and (3) If you no longer need it, remove it.
To elaborate on this advice, “If you didn’t go looking for it, don’t install it" relates to the tricks which attempt to get us to click on links, such as a fake anti-virus popup telling us our computer is infected, or a video which complains that you need to install a special codec to view the content. Only install software or browser add-ons if you went looking for them in the first place. The second rule “If you installed it, update it” refers to the importance of keeping our software up-to-date with the latest patches. Just remember, that the likes of Microsoft, Apple and Google have scores of security personnel striving to fix any exploits which come to light – smart people with a vested interest in making sure their products and operating systems are as secure as possible. You do not have to love them or trust them, but just know that most security geeks apply the patches when they get released. Finally, the last rule “If you no longer need it, remove it” is a common sense directive, in that a piece of software residing on your device which you no longer use could be the very piece of software which you fail to update (or the developers fail to release a patch for), providing a hole for the attackers to exploit. Why keep it, if you no longer need it? At the very least, it may be using up some of your device's precious memory.
Just in case you think I am being a little paranoid, you should remember that modern malware now takes great strides to remain under the radar of leading anti-virus solutions. A common dangerous malware will send target information including screenshots, keylogging and clipboard information, credentials and sensitive documents back through a sophisticated botnet of command and control nodes, all the while covering its own tracks very cleverly. A key trend now is 'radio silence', in that they know when to basically shut up and lie dormant, through sophisticated monitoring of system processes.
Malware can be distributed via removable networks and local area networks. They can snoop on a network, detecting network resources, and collect lists of vulnerable passwords as they pass by over that network. They can capture the contents of any fields filled out, even when obscured by asterisks or dots (e.g. password fields), scan disks of an infected system seeking specific content, perform screen captures of the infected machine when specific programs are running, and activate a microphone and record over a long period of time to record any sounds in the environment. And I have not even touched on the modern nightmare which is "ransomware", which basically encrypts all your files and demands a payment within a short window and, unless you pay it, deletes those files forever. It must only be a matter of time before ransomware starts to leak our sensitive files piece by piece online, in an attempt to force us to pay the ransom quicker. Some of the most sophisticated ransomware even have call centres to help you make the payment. How sweet...
To conclude, there is a concept of lifelong learning, introduced in Denmark in the 70s, which is the "ongoing, voluntary, and self-motivated" pursuit of knowledge for either personal or professional reasons. It not only enhances social inclusion and personal development, but also self-sustainability, as well as competitiveness and employability. This is a concept we need to apply in our quest to remain safe online. Police forces no longer really bother about the paper trail when they search a house, all they need to do is grab the mobiles, tablets and laptops as that is where the evidence lies. We as a society are moving to a virtual world and storing the keys to the kingdom therein, so it behoves us all to do all we can to protect what is there. So next time you read a security article, check out the date as well. It might just save you a lot of pain.
Dr Kevin Curran, senior member IEEE & reader in computer science at Ulster