ZTH-CH2: - Security For Everyone

I will explain the importance of using strong passwords, what multi-factor/two-factor authentication is and why it is important and also explain some more security tips.

ZTH-CH2: - Security For Everyone

Introduction

Following on from Chapter 1, Chapter 2 will cover some more basics security advice along with tips on how to better secure yourself online. With Chapters 3,4 & 5 going into more detail about topics like how the internet works, troubleshooting beyond turning it off and on again, explaining the concept of what risk is and how it can be applied to digital life.

As well as covering off some more technical things this post will also explain the importance of using strong passwords, what multi-factor/two-factor authentication is and why it is crucial and also explain some more security tips.

Security Advice

Before diving into explaining some more technical things it is essential first to secure yourself. To better improve your security it is important to understand some core fundamentals in better securing the way you use the Internet. Here are some tips on best security practices to follow and keep yourself secure.

1. Use Two-Factor/Multi-Factor Authentication

Multi-Factor(MFA) & Two-Factor Authentication(2FA) are two terms thrown around a lot but are primarily a second way of authenticating to a website. It falls into something you know - your password and something you have - a second factor of authentication, usually a one-time passcode sent to your phone or a code generator.

I'd suggest enabling two-factor authentication where possible as it better secures your account against potential compromise. A great example would be; remember now, and again people get 'hacked' on social media and their account posts about ray-bans or other random rubbish? This is usually down to one of three reasons:

  • Password re-use(covered in the next point), can be corrected by using 2FA/MFA. Even if you haven't changed password yet(please change it though) having a second factor reduces the chances of an account compromise. As the attacker would need access to your phone(again not impossible but an extra layer of protection is always good).
  • Clicking on random dodgy links, don't do it please, think before you click, if it sounds too good to be true, it probably is...
  • Being phished - receiving an email from an unknown party pretending to be from a social media site, bank, shopping or another site with the intention of getting you to fill out your login details or other sensitive financial details.

There are other reasons people become compromised, but the reasons above are the most common.

Now that I've explained somewhat what 2FA is you might be wondering, "but Andy how do I enable these things?" Well now is the fun part, I'm going to explain how to do this in interpretive dance!

Seriously though here's a quick guide for the most common sites I'd say we all use, some of these are pulled directly from the respective sites:

GMail

  1. Open your Google Account.
  2. Navigate to the Two-Factor Authentication Section
  3. Select "Getting Started"

Twitter

  1. In the top menu, click your profile icon, then click Settings and privacy.
  2. Click on your Account settings and click Set up login verification.
  3. Read the overview instructions, then click Start.
  4. Enter your password and click Verify.
  5. Click Send code to add your phone number.
    Note: If you already have a phone number associated with your Twitter account, Twitter will send you an SMS to confirm your number.
  6. Enter the verification code sent to your device, then click Submit.
  7. Click Get Backup Code to view a code, generated by Twitter. We recommend you store a screenshot of the code in case you need it for future use. This will help you access your account if you lose your mobile phone or change your phone number.

Facebook

  1. Open Facebook either on mobile or desktop and navigate to settings.
  2. Select Security & Login
  3. Navigate to two-factor authentication, and select enable/turn on
  4. Enter a phone number (preferably the one you used a moment ago), so Facebook can send an SMS with a code in case you cannot use a code generator
  5. Enter that information and click Continue.
  6. Once you receive the confirmation code, enter it and click Confirm.
  7. Click Close, and you're good to go.

Amazon

  1. Go to Your Account and select Change Account Settings.
  2. Click Edit in the Advanced Security Settings section.
  3. Click Get Started to set-up Two-Step Verification.
  4. Add your primary phone number (this phone must be able to receive SMS messages) or download and configure an authenticator app and click Send code.
  5. Enter the code that was sent to your phone number or generated through the authenticator app and click Verify code and continue.
  6. Do either of the following:
    • Add a backup phone number and decide on the delivery format (text message or voice call).
    • Download and configure an authenticator app. This will allow you to generate security codes when you're unable to receive messages to your device.
  7. You won't be able to turn on Two-Step Verification without adding a backup phone number. This is so that you have a backup option to receive a security code if you no longer have access to your primary mobile device.

Office 365 Outlook

  1. Login to your account and click on your name to open up account access options and then select “View account.”
  2. A new tab will open up, and in the top header click the “Security” box
  3. At the bottom of the page is an option for more security options. Click the link to enable Two-Factor Authentication.
  4. Click on the button to “Set up Two-Step Verification” link. You’ll then be guided through the next steps to set up 2FA and make your account more secure.

Other sites have 2FA as an option, and I encourage you to look at enabling them. In addition to using your phone, you should also check out code generators such as Google Authenticator or Authy.

As a minimum your email and social media should have 2FA enabled, most banks provide a second factor of authentication be this via a passphrase or one-time code generator. These two websites have advice on how to enable 2FA on different applications, this can be searched by which site implements 2FA https://twofactorauth.org/ and this one has instructions on how to turn on 2FA for different sites: https://www.turnon2fa.com. Thanks to @j_opdenakker for the addition.

2. Don't use the same password for every site

In security, this is an age-old piece of advice but if you haven't got 2FA/MFA enabled then all an attacker needs to do is find your password either by guessing or in a password dump(when a website has been compromised, and passwords are posted online). Using this newly found password, they can freely log in to your online accounts. Other ways attackers gain access is by using a list of commonly used passwords to try and brute-force their way into your account.

Now if you fall into the category of using the same password for every site, an attacker only needs to gain access to one credential, and they mostly have access to all.

So the simple advice is to change your passwords, many people will find it difficult to create strong passwords, so my advice is to think of passphrases instead, as these create a long password which is more secure than S8p&rS3c9reP455w0R"D and more natural to remember too!

In addition to changing your passwords, I'd recommend looking at getting a password manager setup; I use two personally:

  • Keepass, this is a password manager mainly for windows, however, has a program for Mac and Linux too, however no official mobile client, there is a version for iOS called KeePass Touch & a version for Android called keepass2android. For mobile, I'd recommend using LastPass.
  • Lastpass has a plugin for most browsers, a mobile app for many platforms such as apple and android and has support for most operating systems too. It allows you to generate passwords per site and means you only need to remember your master password; it'll do the rest for you.

In addition to using a password manager, I suggest you audit the passwords you use already to work out if you do indeed use the same password or augmentation of the same password to access things. There is a great site called haveibeenpwned which will show if your email has been included in any breaches in the past. This will enable you to understand if your password is indeed out there and at risk.

3. Be vigilant about emails and links sent to you on social media

As I talked about earlier, when you see clickbait articles on social media, try not to click them as a lot of the time the sites in which they're hosted on are after something from you. Be this personal information, account details or even to send you malicious software.

Not just social media though, it is essential to be aware of phishing attacks. Phishing might be a term you've heard mentioned before, and it is one of the most common ways in which organisations become compromised, and attackers steal account details. Phishing mainly comes in two flavours fundamentally either:

  1. An email, social media message, text or call, asking you for details to accounts with the intention of gaining access to your account for financial or other gains by an attacker.
  2. An email, social media message or SMS with a link prompting you to download malicious software which puts your computer or device at risk of compromise.

Both scenarios put your accounts at risk and can be avoided by being more aware of these types of attacks.

Things to remember, if an email or message seems to good to be true it probably is. Nobody is going to give you a free holiday, car, computer or another expensive item, nobody is selling you cheap ray bans so don't bother clicking. There is not a Nigerian prince out there waiting to give you a million pounds or dollars so don't even entertain the idea.

Another point to be aware of is scams on online social media and emails, always be on the lookout for things that come across your inbox that sound too good to be true.

4. Install Updates

Tip number four is keeping your devices up to date. Be this your phone, your laptop, desktop, tv, router or applications on your device. You’re hard at work on your computer or device, and a message suddenly pops up saying, “a software update is available”. You’re busy, so you click “cancel” instead of “install”, thinking you’ll get to it later, but you never do. Sound familiar?

It's easy to skip updates as they can feel like they'll take up too much time however they are critical as often they are released to fix security issues and bugs. Often they also bring additional features to our devices. Many of the more harmful malware attacks in today's world take advantage of software vulnerabilities in typical applications, like operating systems and browsers.

These are big programs that require regular updates to keep safe and stable. So instead of procrastinating about installing software updates, see those updates as one of the most essential steps you can take when it comes to protecting yourself online and in your digital life.

All of these updates are aimed at making your experience better. Moreover, while repeated update reminders can be annoying, especially if you have a lot of different applications and devices, they can improve your experience in the long run and ensure that you get the most from your technology.

Where possible, select auto-update this will ensure you are always running the most up to date version of the software which makes your life easier.

5. Be careful with how much information you share online

Finally, my last piece of advice is to be careful you are not over-sharing on social media. This is for several reasons by over-sharing you may put yourself or others around you at risk, be this sharing you're going on holiday with the world this paints a target on you for attacks like burglary or region based attacks for online attackers who can craft specific phishing emails or links to get your information!

The main risk factors involved with oversharing are as follows:

  • Anyone can know your location: It can be fun to post a status update or a photo online to show your friends where you are or have been, but posting about your activities several times every day can be dangerous, mainly if it includes a specific location. Sure we are all going to tag location for the Eiffel Tower, London Eye, or the Golden Gate Bridge.
    However, one of the most dangerous features on social networking sites is location-based services. It exposes your location and whereabouts, with impressive accuracy, which usually appears on your posts in real-time. If you post three times a day every day, your commute, dinner, coffee shop, an evening out, then that's a brief time before you have a profile of regular movements. In short, very regularly posting updates on your location and daily activities could give a potential stalker the information they need to track you. This is also an extreme case for caution with younger audiences, so make sure you and your children or younger folks are aware of the dangers.

  • Targeted searches: Even if you have set the highest level of restrictions in your privacy settings on your social media accounts, there is still no guarantee that you can’t be found on the internet. There are two significant issues at play here. Firstly, anyone can be a victim of malicious attackers, and generally without even knowing it. Sharing too much extra information like your phone number, address, credit card number (heard of the credit card challenge? No? google it...) and even details like dogs name, children's names can be dangerous as they can be leveraged to attack security question like answers. Even in a private setting, this can give an attacker the information required for identity theft. The next thing you know, you’re receiving emails, post and calls from strangers(I've had it first hand, ID theft is not fun!), unknown purchases, phishing emails, or even second accounts under your name on social media or shopping sites.

  • Personal image is at stake: As much as we don't like to talk about it, employers will look at your social media these days. Social media gives people the freedom to express their opinions and share experiences with their social followers. However, posting too much can also damage your reputation especially of course, if you're trying to leverage the platform for business. Photos of partying, being drunk or anything inappropriate for sharing can quickly change how people see you. Pro Tip: Don't post complaints about your employer, or rants about your boss(I've seen idiots post things on social media which has cost them their job and even worse in one case caused an individual to be sued by a company for breach of contract), nothing is private and you never know who might be reading or watching.

All in, I hope this post has been helpful for you to secure yourself better and take a second look at the way in which you compose yourself online. If you've got additional tips to let me know @ZephrFish on twitter, please.

If you missed part 1 or want to read part 3 they can be found here:

First
Third