So You Think You’re Secure…?

Leigh

The UK government GetSafeOnline website offers free advice and tells its users, “so now you really can stay safe with everything you do online.” Buy a Windows-based computer and the likelihood is it will arrive with pre-installed anti-virus software, often McAfee (part of Intel, which produces the processor chips most usually found on Windows computers). Periodically you’ll see a pop-up window saying, ‘You are secure’.

Do not believe either of these statements. No-one can guarantee that you are safe online and those who say you are safe are doing you a disservice.

These same anti-virus companies will often claim that they stop all or 99% of all viruses. Just like the old household cleaner ad that carried the inflated claim, ‘kills 99% of germs’ it begs the question, ‘what about that persistent, resilient remaining 1%?’ Both claims are distortions – they might stop 99% of the viruses they are tested against – but this is not, and cannot be, ‘all viruses’. So, with our government saying you can be secure, and with the security industry claiming you are secure, the result is that users think they are secure – but they are not.

This false sense of security can lead to over-confidence and recklessness: users are lulled into careless behavior online. Putting it bluntly, both government and industry statements are lies. The disservice is that most users will believe that following basic government advice and installing anti-virus software is all that is needed to make them secure. Believing themselves to be secure they will become sloppy in their online habits. Being sloppy is an invitation to the hacker. Users need to accept the simple reality – you cannot be secure online.

This series will explain why you cannot be secure, but how you can be as secure as possible – which will be secure enough for most situations, most of the time. While acknowledging that hackers and hacking cannot be prevented, you can still make it as difficult as possible.

When you think about security, consider an old policing concept called Crime Prevention Through Environmental Design (CPTED). CPTED is a concept designed to prevent casual burglary by developing an architecture that makes it too difficult. The casual burglar probes for an easy way in, but finding the front door locked, the back door bolted, the building well-lit with surveillance cameras and a security patrol he is likely to move on to easier pickings. CPTED will not defeat the well-resourced, determined and patient burglar; nor will any computer security defeat the well-resourced, determined and patient hacker. You just have to do what you can to deter the majority of burglars.

Here’s a cautionary tale from the UK. Sophie Curtis is a technology reporter with the Telegraph; so she is no newbie. She challenged John Yeo, at the time with SpiderLabs, to hack her computer. He took his time. He worked on it. And a few months later he had complete control of her laptop… and sent her a photo of herself taken by her webcam to prove it. One of the most insecure things you can do is to believe you are secure. The committed hacker takes the long view and while you are letting your guard down – you’re busy, your workload is heavy, you’re juggling work and family, you’re less than vigilant – the hacker hacks. Softly, softly catchee monkey.

Encryption is a good friend to security

Government is the biggest and most determined hacker of all. It says it wants you to be secure, but it does not want you to be secure against itself, the government. It can and does subvert security companies so that it can get into your computer via the very people you think are making you safe. It can and does demand the content of your computer, with a legal device that can even prevent you telling a lawyer that it has done so. But there is one thing government fears: encryption.

The NSA paid RSA $10 million to include a back-doored encryption system as the default in its crypto software library. Nevertheless, government cannot yet guarantee success at breaking all other encryption – and that’s why government is demanding its own private backdoor in applications that use encryption. If government, with unlimited time and resources, cannot crack encryption, neither can hackers. So while good encryption will not keep hackers out of your computer, it will stop them getting to your personal information and photos. Encryption is a good friend.

Note, however, that if government succeeds in forcing app developers to include backdoors, it will destroy the encryption promise for all of us. If there is a backdoor for government, it will be found and used by hackers.

Paranoia is security’s best friend

Where security is concerned, paranoia is your best friend and caution must be your byword. Don’t believe anyone or anything that says you will be secure, and always bear in mind that there is one common factor in all hacks: you, the user. The user participates in all hacks, either by doing what is wrong or by not doing what is right.

This series will help you understand how you get hacked, with what and by whom; and what you can do to make life difficult for the bad guys. We’ll be looking at passwords, types of malware, hacking methods, using the cloud for storage and more. We cannot guarantee your safety, but we’ll help you take power back into your own hands by making you more vigilant and more confident.

Leave a Comment