Some computer security myths and stories that keep getting passed around, even though they’re clearly not true. We sat down with computer security experts to separate fact from fiction.
We know there are still some computer security stories that everyday users continue to believe, even though they have either been long debunked, or because they keep getting spread around.
We sat down with computer security and forensics experts Frederick Lane and Peter Theobald to get to the truth behind some security myths we’ve all encountered on a regular basis.
This one comes in many forms, but it’s often referred to as “security through obscurity”. The idea is that because the internet is vast and the odds are in your favour, you’ll never be targeted — and even if you were, you don’t have any personal data of value on your computer worth taking.
The problem with playing the odds is that, of course, it only takes one bad roll to ruin your day. While it’s true that most of us don’t have to worry about being individually targeted, the most common threats aren’t the ones that target you specifically — they’re internet-wide fishing expeditions by automated bots looking for vulnerable computers and networks. Similarly, it may not be your data someone wants — it’s your vulnerable, broadband-connected PC. Your computer is the valuable asset, Frederick Lane explains:
The device itself (or the storage space on it) is potentially useful to a hacker as a remote storage unit for contraband materials (i.e., child pornography), or as a zombie/slave in coordinated denial-of-service (DOS) attacks on Web sites.
Even if you don’t think your data is valuable, keep in mind that any personal or financial information is valuable to a potential identity thief. Bits and pieces can be assembled with other information from other sources to create a complete picture. In this case, a little prevention goes a long way. There’s no reason to put yourself at risk.
We love some good ones to try. However, it’s important to note that both services are only as smart as the person using them. Both are great tools at what they do, but remember: They’re just tools. Lane explains:
[I’ve heard that] If I use Tor, no one can figure out what I’m doing. Tell that to the Harvard kid who logged into TOR on a campus computer to post a bomb threat last December, only to be stunned when law enforcement and Harvard IT employees were able to identify the computers that were used to access the network within a given time frame. They narrowed the suspects down to one who actually had a final, and when they showed up at his door, he confessed (no doubt out of shock). It is REALLY hard to be completely anonymous online.
Lane is right. Eldo Kim used Tor to post bomb threats in December of 2013 in an attempt to delay final exams at Harvard. He would have gotten away with it too, had he not left a trail of other evidence that led the FBI to his door, including the fact that he used Tor from the Harvard wireless network. Had he used a VPN, he may have had a bit more protection, but VPNs are designed for security — not anonymity. The chain of evidence would have led back to him eventually.
Bottom line: Services like Tor and your favourite VPN are great for protecting your identity and security on the internet, but they’re not foolproof. Tor helps preserve your anonymity and defends you against companies that harvest your data, including your ISP. A VPN encrypts all of your traffic so you can be sure your communications are secure from prying eyes or snoops. However, in both cases what you do can give you away, you’re still riding someone else’s network, and someone skilled and determined enough to decrypt or log your activity can do so. We still believe Tor and a good VPN should be part of your security arsenal, but if you think they’re all it takes to be completely secure and anonymous, think again.
Most of us know better than to leave our Wi-Fi networks open to the world, but wireless security isn’t something you should trust to obscurity. We still see people who leave Wi-Fi networks unencrypted, and instead hide their SSID or use MAC filtering to “secure” them. Unfortunately, while these methods may deter non-technical passers-by, it won’t stop anyone with technical knowhow. Theobald explains:
Hiding your wireless network’s SSID is a mostly useless attempt at security. It may keep your nosy neighbour from seeing the name of your network, but as soon as you use your wireless network, you send your SSID name over the air anyway. In addition, hiding your SSID makes it more painful for your own computers and devices to connect to it. Hiding your SSID will make it difficult for legitimate users and won’t stop any hackers. So go ahead and display your SSID, and while you’re at it have some fun and scare the neighbours by naming your network “NSA_MobileTappingStation”.
Don’t run your wireless network unencrypted and don’t use the obsolete WEP encryption standard. It can now be cracked in seconds with simple, free-to-download tools. The best encryption standard to use is WPA2. While not perfect, it is the best available. Use a good long password that isn’t in the dictionary for better security.
Some wireless routers have an option to let you list all of the MAC addresses, which are similar to a serial number for your devices, that will be allowed to connect to your router. If you don’t mind the additional housekeeping of keeping track of your devices’ MAC addresses and your visiting friends and relatives devices’ MAC addresses there is no harm in using this setting to add another obstacle to hackers. It won’t stop a persistent hacker though, as they can watch your wireless traffic and see what MAC addresses you are using, then spoof one of those to gain access.
Lane agreed, and noted that easily available Wi-Fi scanning tools like Kismet can pull hidden SSIDs and MAC addresses out of the air. He also reiterated that WPA2 was the way to go. We’ve shown you how easy it is to hack WEP and WPA. As for MAC spoofing, that’s also a simple task. So while these methods may be useful in addition to a properly secured Wi-Fi network, they’re not security on their own.
Actually, Incognito mode can protect your privacy — but only from other people using your computer. It’s not actually a privacy tool that protects you from the rest of the internet. Even though you’re warned each time you open an Incognito window, many people still think that browsing in Incognito mode means they can’t be tracked, their ISP can’t see what they’re browsing, or they’re somehow anonymous to the party on the other end of their connection. None of those are the case.
Google explains in its FAQ (linked on every Incognito tab) that the sites you visit may still have records of your visit, and anything downloaded from those sites (including cookies, in some cases) will remain. Firefox has a similar FAQ on each Private Browsing tab. So, for example, if you log in to your Google account while browsing in Incognito mode, your Google Searches will still be saved in your web history. If you allow extensions to run in Incognito, any information they record or transmit will persist as well.
Perhaps most importantly, Lane explained that the sites or webapps you visit downstream still know who you are, have your IP address (and can match it to previous or future sessions) and can keep track of what you do while there. On mobile devices, Incognito mode may offer even less protection than on the desktop. Superuser has a great thread on this topic as well.
Perhaps the biggest and most persistent computer security myth we see is the idea that one person’s definition of “common sense” is all that’s required for everyone to stay secure — to the point where as long as you have it, you don’t need anti-malware or antivirus at all. That is a foolish approach. Says Theobald:
Secure computing, just safe driving, doesn’t just depend on your habits. It depends on the habits of everyone else as well. Recently it was found that hackers had managed to put the ‘Styx exploit’ into advertisements that were shown on YouTube. Anyone who viewed a YouTube page with those ads had their computer attacked and possibly infected with the Styx virus. So you could have been only visiting “safe” websites, but even YouTube got hacked! The only defenses to these “drive-by” viruses is to update your operating system and software frequently to get the latest security patches and run anti-virus software. If you want to be more proactive you can be even safer with software like NoScript and Privoxy which give you great security at the cost of more hassle.
Both of our experts agreed on this point, and added that while malware doesn’t exactly make news these days, that doesn’t mean it’s not a significant threat. Similarly, malware today is often designed to avoid detection. As we mentioned earlier, the goal is to use your computer as a resource, a zombie in a botnet, a Bitcoin mining machine, or a storage locker — as well as quietly harvest data while it’s running. You may also remember the whole Chrome extension malware fiasco from a few months back. You may never know something you thought was reasonable on your system is behaving badly until it’s too late for “common sense”.
Even if you’re sure that you don’t visit anything “risky”, it’s important to have the right tools at your disposal just in case.
Frederick Lane is an author, attorney, educational consultant, expert witness, and lecturer who has appeared on The Daily Show, CNN, NBC, ABC, CBS, the BBC, and MSNBC. He has written seven books, including most recently “Cybertraps for the Young.” All of his books are available on Amazon or through his Web site. You can follow him on Twitter at @fsl3, or at Computer Forensics Digest.
Peter Theobald a Computer Forensics expert and president of TCForensics.com. He spends most of his time finding things that were supposed to have been deleted.
Both gentlemen offered their expertise for this piece, and we thank them.