This article was first published by Alan Henry on LifeHacker.com on 21 February 2019, and has been adapted for publishing on the Cogito Ergo Sum Blog
Some computer security myths and stories that keep getting passed around, even though they’re clearly not true. There are still some computer security stories that everyday users continue to believe, even though they have either been long debunked, or because they keep getting spread around. Computer security and forensics experts Frederick Lane and Peter Theobald weigh in on the truth behind some security myths we’ve all encountered on a regular basis.
This is often referred to as “security through obscurity”. The idea is that because the internet is vast and the odds are in your favour, you’ll never be targeted — and even if you were, you don’t have any personal data of value on your computer worth taking.
The problem with playing the odds is that, of course, it only takes one bad roll to ruin your day. While it’s true that most of us don’t have to worry about being individually targeted, the most common threats aren’t the ones that target you specifically — they’re internet-wide fishing expeditions by automated bots looking for vulnerable computers and networks. Similarly, it may not be your data someone wants — it’s your vulnerable, broadband-connected PC. Your computer is the valuable asset, Frederick Lane explains:
“The device itself (or the storage space on it) is potentially useful to a hacker as a remote storage unit for contraband materials (i.e., child pornography), or as a zombie/slave in coordinated denial-of-service (DOS) attacks on Websites.”
Even if you don’t think your data is valuable, keep in mind that any personal or financial information is valuable to a potential identity thief. Bits and pieces can be assembled with other information from other sources to create a complete picture. In this case, a little prevention goes a long way. There’s no reason to put yourself at risk.
Tor disguises your web browsing so you stay anonymous, the same is true for VPNs. However, it’s important to note that both services are only as smart as the person using them. Both are great tools at what they do, but remember: They’re just tools. Lane explains:
“If I use Tor, no one can figure out what I’m doing. Tell that to the Harvard kid who logged into TOR on a campus computer to post a bomb threat last December, only to be stunned when law enforcement and Harvard IT employees were able to identify the computers that were used to access the network within a given time frame. They narrowed the suspects down to one who actually had a final, and when they showed up at his door, he confessed (no doubt out of shock). It is REALLY hard to be completely anonymous online.”
Bottom line: Services like Tor and your favourite VPN are great for protecting your identity and security on the internet, but they’re not foolproof. Tor helps preserve your anonymity and defends you against companies that harvest your data, including your ISP. A VPN encrypts all of your traffic so you can be sure your communications are secure from prying eyes or snoops. However, in both cases what you do can give you away, you’re still riding someone else’s network, and someone skilled and determined enough to decrypt or log your activity can do so. We still believe Tor and a good VPN should be part of your security arsenal, but if you think they’re all it takes to be completely secure and anonymous, think again.
Most of us know better than to leave our Wi-Fi networks open to the world, but wireless security isn’t something you should trust to obscurity. We still see people who leave Wi-Fi networks unencrypted, and instead hide their SSID or use MAC filtering to “secure” them. Unfortunately, while these methods may deter non-technical passers-by, it won’t stop anyone with technical knowhow. Theobald explains:
Hiding your wireless network’s SSID is a mostly useless attempt at security. It may keep your nosy neighbour from seeing the name of your network, but as soon as you use your wireless network, you send your SSID name over the air anyway. In addition, hiding your SSID makes it more painful for your own computers and devices to connect to it. Hiding your SSID will make it difficult for legitimate users and won’t stop any hackers. So go ahead and display your SSID, and while you’re at it have some fun and scare the neighbours by naming your network “NSA_MobileTappingStation”. Don’t run your wireless network unencrypted and don’t use the obsolete WEP encryption standard. It can now be cracked in seconds with simple, free-to-download tools. The best encryption standard to use is WPA2. While not perfect, it is the best available. Use a good long password that isn’t in the dictionary for better security. Some wireless routers have an option to let you list all of the MAC addresses, which are similar to a serial number for your devices, that will be allowed to connect to your router. If you don’t mind the additional housekeeping of keeping track of your devices’ MAC addresses and your visiting friends and relatives devices’ MAC addresses there is no harm in using this setting to add another obstacle to hackers. It won’t stop a persistent hacker though, as they can watch your wireless traffic and see what MAC addresses you are using, then spoof one of those to gain access.
Easily available Wi-Fi scanning tools like Kismet can pull hidden SSIDs and MAC addresses out of the air. 802.1x as the best standard for WIFI, and should be considered above WPA2.
Actually, Incognito mode can protect your privacy — but only from other people using your computer. It’s not actually a privacy tool that protects you from the rest of the internet. Even though you’re warned each time you open an Incognito window, many people still think that browsing in Incognito mode means they can’t be tracked, their ISP can’t see what they’re browsing, or they’re somehow anonymous to the party on the other end of their connection. None of those are the case.
Google explains in its FAQ (linked on every Incognito tab) that the sites you visit may still have records of your visit, and anything downloaded from those sites (including cookies, in some cases) will remain. Firefox has a similar FAQ on each Private Browsing tab. So, for example, if you log in to your Google account while browsing in Incognito mode, your Google Searches will still be saved in your web history. If you allow extensions to run in Incognito, any information they record or transmit will persist as well.
Most importantly, the sites or webapps you visit downstream still know who you are, have your IP address (and can match it to previous or future sessions) and can keep track of what you do while there. On mobile devices, Incognito mode may offer even less protection than on the desktop. Superuser has a great thread on this topic as well.
Secure computing, just safe driving, doesn’t just depend on your habits. It depends on the habits of everyone else as well. Recently it was found that hackers had managed to put the ‘Styx exploit’ into advertisements that were shown on YouTube. Anyone who viewed a YouTube page with those ads had their computer attacked and possibly infected with the Styx virus. So you could have been only visiting “safe” websites, but even YouTube got hacked! The only defenses to these “drive-by” viruses is to update your operating system and software frequently to get the latest security patches and run anti-virus software. If you want to be more proactive you can be even safer with software like NoScript and Privoxy which give you great security at the cost of more hassle.
While malware doesn’t exactly make news these days, that doesn’t mean it’s not a significant threat. Similarly, malware today is often designed to avoid detection. As we mentioned earlier, the goal is to use your computer as a resource, a zombie in a botnet, a Bitcoin mining machine, or a storage locker — as well as quietly harvest data while it’s running. You may also remember the whole Chrome extension malware fiasco from a few months back. You may never know something you thought was reasonable on your system is behaving badly until it’s too late for “common sense”.
Even if you’re sure that you don’t visit anything “risky”, it’s important to have the right tools at your disposal just in case.
Digital Identity and Security
Cogito Group is an award-winning cybersecurity company specialising in authentication, cloud security, identity management and data protection. Cogito Group protect the authentication methods used to access information through the use of Identity and other security technologies.