By Tiago Palma & Derek MacDonald
In the current age of technology and globalization, those who dedicate their lives to promote human rights, international development, and social justice have increasingly become more dependent on digital communications. The “open-nature” of the internet has allowed for the free-flow of information that has left many vulnerable to malicious intrusions from hackers from all over the world. Given the recent outburst of hacks, now would be a good time to rethink their own ability to keep their work safe from security breaches. As such, digital humanitarians and digital peacebuilders – as well as anyone who uses the internet for their work – need to ensure their work is safe from potential security risks.
In early June, PeaceGeek friend Derek MacDonald from Scale Free Systems gave an Information Security presentation at the HiVE Vancouver for anyone who was interested in learning more about how to protect themselves against digital hacks. Here is a summary of his tips for anyone interested in taking extra steps to protect themselves.
A strong password is by far one of the most effective ways to protect your computer and any important data you might have stored in one of your “cloud” accounts. The key to have a strong password lies with making it have lots of entropy. This can be accomplished by coming up either with very long passwords or vary random patterns of words. The best way to do this is to combine a random memorized string followed by a long password. This string adds more security as a prefix or as a mid-fix. Random suffixes, as well as number and punctuation suffixes tend to be more common and, therefore, are not that useful.
On average, everyone should have 3 or 4 different memorized passwords: one phone unlock code (or pattern); one password for a primary email account (just in case); one password for online banking for one bank account and one “master password” that is used with a password manager.
Also consider using two factor authentication for important accounts like banking, your google account and your password manager. However, make sure you can recover your credentials if you lose a device you are using for two factor authentication. Having only one device that can authenticate one’s true identity can be a risky decision.
One of the most common mistakes most people make is to use a single “master password” in all of their personal web platforms. It is understable why this is so common. People in general tend to be quite forgetful and remembering several passwords can be quite difficult. But using a “1234” or one’s birthdate as a cross-platform password can have disastrous consequences.
One easy way to deal with this far-too-common absentmindedness is to use a password manager app. LastPass, for instance, is a good example of an app that is free for personal use, is incredibly user-friendly and is supported by smartphones. LastPass keeps information on a user but encrypts locally, using a master password. Keepass is another good open source app that encrypts passwords locally. Unfortunately for Mac users, however, KeePass’ functioning Mac version is still in testing.
The biggest shortcoming of password manager apps is that users MUST NOT forget their master password! It is highly recommended to save a physical copy of that password somewhere safe, such as a safety deposit box, and not to have it perpetually saved on a computer.
For more information and other resources visit:
Laptops are common and easy theft targets, so consider having a physical laptop lock for your desk. Most laptops use the “noble lock” standard. Some laptops, mainly recent Macs, do not have built in lock support.
Your laptop password is very important as it is also effectively an encryption key if you are encrypting your laptop (and you should). Therefore a laptop password needs to be reasonably strong.
You should also set up your laptop to lock the screen after a fairly short idle time, 15 minutes being a reasonable guideline.
Although biometric technology (i.e the use of fingerprints to authenticate one’s true identity) has also been used to provide an extra layer of security, it has not been as effective or popular as initially anticipated. As a result, many companies have dropped their commitment to this technology.
Both Apple OS X and Microsoft Windows usually have built-in local encryption apps. BitLocker, for instance, is typically available to anyone who has a device that runs Windows Vista or Windows 7 Ultimate, Windows Vista or Windows 7 Enterprise, Windows 8.1 Pro or Windows 8.1 Enterprise. For more information on BitLocker, please visit http://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-wi....
On the other end of the spectrum, Mac FileVault is typically built-in on most Mac devices, and is quite easy to manage from the computer’s System Preferences. For more on FileVault, visit https://support.apple.com/en-ca/HT204837.
Viruses, Worms, etc
There is an infinite number of viruses, worms, bugs, trojans, etc out there that only exist to damage software and operating systems. The main types of these malicious “things” include Viruses, Malware, Spyware, and Ransomware, and these can be typically found in malicious websites, untrusted browser extensions, optional installs with freeware, downloading fake versions of software (especially those that are open-sourced and free of anti-virus and other security softwares), and even email attachments. Outlook and Windows are usually deemed vulnerable to such attacks, and so they are usually the most targeted programs. But that does not mean that whoever does not use them will be free from getting a virus.
Firewalls are one of the best ways to keep a computer safe from such attacks, and so they should be kept ON as much as possible, even if they do indeed cause computers to slow down substantially. Once again, thankfully, both Windows and OS X have built-in firewalls and one is not required to buy one. On Windows, the Firewall can be turned on by accessing the Control Panel, and by searching for Windows Firewall. And on a Mac, by simply accessing the System Preference and searching for ‘firewall’. However, if you’re not satisfied with the built-in options, there are tons of other options out there. Simply google ‘firewall’ and I’m sure plenty of options will pop up.
Electronic devices running Windows operating systems normally have built-in anti-viruses that are actually quite good. Windows 7 users will have access to Microsoft Security Essentials, while Windows 8 users can use Windows Defender. Again, if built-in apps are deemed to be not-as-effective, there are plenty of multiplatform 3rd party apps that are available for download online (both free and paid). According to Tom’s Guide, examples such Avast, Bitdefender, Norton, Malwarebytes, Kapersky, Avira and Sophos are amongst the best anti-viruses available in the market. Of all these, Avast and Sophos are arguably the best for Mac users, while Windows users should consider acquiring either Kapersky for anti-virus and Malwarebytes for Malware detection.
Mac users can use built-in app Time Machine for onsite backup of their data on OS X, while 3rd party apps such as BlackBlaze, which is a great remote backup solution, is good for all operating systems.
Global Exploits typically affect servers more than users, and as such, information about them can be extremely useful for organizations that place emphasis on hosting, for instance. Heartbleed is by far the most known example of a Global Exploit. Heartbleed is a security bug that was discovered in 2014 that affects several major websites that contain personal information (i.e. banking and credit data) such as Google, Yahoo!, Dropbox, and others. This bug allows the hacker to access usernames and passwords, amongst other types of sensitive data, by exploiting the “heartbeat” functionality of OpenSSL. Being affected by Heartbeat may be, unfortunately, inevitable. In order to avoid future complications, one should read reliable sources, such as the LastPass blog and a few others to find what to do. The worst thing one can do, however, is to just login everywhere and change all passwords BEFORE having the breach fixed, as this might actually facilitate the cybercriminal’s ability to hack a computer, rather than diminish it. More information can be found in several websites and blogs.
Information Security Blogs
Feel like you want to learn more about how to keep your computer safe? If so, feel free to visit one of these websites or the threatpost.com.