Personal Cybersecurity 101

Defense Secretary Chuck Hagel used his first visit to Asia to ask China to stop hacking into and spying on our networks. You don’t need the perspicacity of Nostradamus to see that: Spending on Cybersecurity over the next few years and decades by the defense department will skyrocket and rival every other division of the US DoD. It is also a harbinger of the risks and attacks to come.

Today cyberattacks are what we use instead of misiles to slow down a country when they’re trying to make nuclear weapons. And that was 3 years ago.

While governments may be rapidly building armies of cyber warriors, like the US Cyber Command in Maryland, individuals are relatively defenseless and most of us aren’t even aware of the risks of being attacked in cyberspace.

To illustrate the risk, here’s how I’d target a specific individual:

  • Create a payload designed to infect their OS X or Windows workstation. The infection would log all keystrokes and send them periodically to my anonymous email address. It would also give me remote access on demand to their workstation to peruse and download files. 
  • Leave the infection lying around their home and place of work on USB thumb drives hoping they’ll install it.
  • Mail a thumb drive to them with the Google logo on it on an envelope that appears to come from Google with a nice letter explaining how they won something.
  • If that doesn’t work I’d crack their home WEP or WPA wifi encryption, gain access to their network and run a vulnerability scanner like OpenVAS on their workstation to find holes. Then I’d fire up Metasploit and exploit and access whatever I want to.
  • Gain access to all the target’s online and offline data.
  • I’m looking for as much personal data as I can find, specifically a social security number.
  • If I’m still unable to get access to that, I’d try social engineering. I’d send them a piece of mail with a bank letterhead and logo warning that an account is about to be suspended with an 800 number that is actually my number. Authenticating themselves when calling my number would require they provide their full social security number and other valuable data.

The point here is that if someone who knows what they’re doing decides to target you, you’re in trouble. You can use stronger encryption on your home network, use strong passwords, install anti-virus and firewall software and so on. But at some point you’re going to slip-up and they’re going to gain access to sensitive data that lets them do a lot of damage in your life.

Once you’ve taken the obvious precautions, here’s what I suggest to help protect yourself.

  • Sign up with a reputable identity monitoring or credit monitoring service. I particularly like the feature of receiving SMS alerts when a threat is detected.
  • Get a reputable credit card like Visa Signature that reverses fraud transactions no-questions-asked and immediately issues a new card. Use this for online purchases and keep a close eye on your account activity.
  • Only use your debit card to draw cash from trusted ATM machines. Never use it for online transactions.
  • Keep your cash in several savings accounts, monitor them carefully and make sure that all authentication to access those accounts is strong. Two factor authentication where you enter a password and then also have to enter a code sent to your phone is an excellent additional layer of security.
  • Pull your credit history yourself from time to time to monitor it.
  • Dont get social-engineered. If someone calls you up, says they’re from an institution you bank with or trust and starts trying to get information from you, ask them for their full name, position and a callback number. Then don’t call it back. Instead call the main switchboard of the institution and ask for that individual. If they don’t exist, try the callback number, if they answer, hang up and call the cops with the info.
  • Never use the same password across services or websites. If you do, when one website gets hacked, your username/email and password will get out and at some point a hacker will try that combo on all other major online services. You could choose a base password, and then add something to that password that uses some attribute of the website (like the domain name) and runs it through a formula you’ve memorized. For example, you could have a base password of ‘1c00ld01phin’ and take the first four letters of the domain name, rotate the letters by one and add the position of the first letter in the alphabet as digits to the end. So would become ‘1c00l101phinfcbz5’. That’s a simplistic formula and you can beef it up by adding letters or digits at the beginning or at a specific position within your base password.
  • If you run a website or a server on the net, make sure all software on the system is up-to-date. Install OpenVAS or Nessus, learn how to use it and run a vulnerability scan on your own system every quarter. You can also find out what your home IP address is using and use the same tools to run a scan on your home IP address. You can also run the scan from your home network to any workstation or mobile device like an iPad or iPhone on your network to find out if your own machines have security holes.

It’s surprisingly easy to hack into someone’s life. I’ve had websites hacked and my family has been hit with identity theft (drivers license stolen from mailbox) and it’s a real pain to dig yourself out. But with a little preparation you can minimize the risk and if it does strike, catch it early and recover quickly.