An in-depth introduction to the world of cybersecurity.
We live in a world saturated with technology. I’ve made this article to help individuals learn how to stay safe and become better-informed citizens (you can view my credentials here).
Technology has become ubiquitous in today’s world and will be even more so in the years ahead. While it has made life better in so many ways, it has created new risks that range from petty annoyances to financial ruin. And it now has the potential to physically harm or even kill — through cyberweapons, the Internet of Things (IoT), and self-driving cars. These aren’t reasons to abandon technology, though. Ultimately, the impact of technology now and in the future comes down to how we choose use it (for instance, right now you could text a friend who’s going through a hard time, or you could humiliate them on social media).
Unfortunately, there will always be people who misuse and abuse technology. Consequently, each of us needs to make decisions on a daily basis as to how much risk we want to expose ourselves to; and because some of these problems are too large for any one individual or company to handle, we’ll need to be active and knowledgeable participants in public debates as new government regulations are likely to be enacted.
In order to appropriately assess risks, stay protected, and participate in debates as an informed citizen, each person needs to understand what risks are out there, why those risks exist, and cultivate a security mindset (at least at a basic level).
It should be noted, though, that a complication arises in cybersecurity with how we assess how secure we are. Just because we feel safe (e.g., when Chrome displays a green lock next to the URL) doesn’t mean that we actually are safe. This is completely different from how humans have assessed risk throughout human history. Generally speaking, if we felt safe, then we were safe (e.g., we live in an area with low crime rates and no one’s broken our windows, so we feel and are safe). This oddity with cybersecurity has given rise to security theater, which is where policies are enacted to increase security (and make us feel more secure) but don’t actually achieve that goal. Regrettably, security theater is performed by many organizations, including the TSA.
Because of this reality, we can’t just change a few settings and feel completely safe. My biggest hope is that this article will help you develop a security mindset. That said, each person is comfortable with different levels of risk in their life, so I’m not going to say, “You must absolutely do this or else…” Rather, I’ll talk about various risks, their consequences, and solutions to lessen those risks. You can then decide what you want to do. Will there be principles that I highly recommend you practice? Of course. But I also understand that you may be comfortable with more risk than I am. Ultimately, I want you to act knowing the landscape rather than making decisions blindly.
Below are the topics this article discusses that will help you be safer, better informed, and create a security mindset:
- Overview of Computers & Networks
- Main Cybersecurity Risks
- Government & Privacy
- Habits & Resources
Note: Nothing and no one can ever be 100% secure. If someone or a product claims to offer 100% security, they’re intentionally misleading you, incompetent, or maybe a bit of both. While forming good habits will lower your chances of becoming a victim, we live in a connected world, and your information can still be compromised if other entities don’t secure their systems or protect your personal data.
What This Article is Not
This site does not cover every security topic, nor does it teach you how to hack. There are so many subjects and angles to approach security from that, even at an introductory level, an exhaustive discussion on this site isn’t feasible.
Technology is everywhere and has brought opportunities and risks. This article helps you develop a security mindset so you can be safer online and an informed citizen. It does not teach you how to hack.
Overview of Computers & Networks
better understand digital risks, it’s good to have a basic understanding of how computers (e.g., laptops/desktops, servers, smartphones, IoT devices, cars — essentially anything with a CPU) work and interact with each others (i.e., networks). I’ll begin this section by talking about how computers and networks work and then discussing the risks. But don’t worry — I won’t be getting into any technical details. If you have questions, feel free to reach out to me.
But! Don’t feel like you need to read this section to know how to better protect yourself — feel free to skip this section if you’d like :)
This picture shows the four main types of attackers (hackers). Generally speaking, the attackers on the right are far more skilled than the ones on the left.
How Computers Work (very basic)
When I first learned how to program, I was surprised to find out that computers aren’t magic boxes.
Instead, you have to tell them exactly how to perform tasks, and they follow those instructions exactly (which can be good and also really frustrating when something goes wrong and you can’t figure out why). For example, let’s pretend I’m a computer and you’re trying to get me to put an apple in your hand (we’ll assume the apple’s already in my hand). If you say, “put the apple in my hand,” I won’t have any idea what you mean. If you tell me to raise my hand, I could raise it 1mm or high above my head and do so really fast or really slow (or anywhere in between). So, you’ll have to tell me to raise my hand by 45°. Once I’ve done that, you’ll need to tell me how to drop it (perhaps by raising each of my fingers). Once you’ve successfully taught me how to put an apple in your hand, you can save those instructions as a program (we’ll call it “Put the apple in my hand”). The next time you need an apple, you’ll only need to tell me to “put the apple in my hand,” and this time I’ll do it since I have the instructions on how to perform that task.
Computer Systems & Networks (very basic)
Computers don’t typically run a single program like putting an apple in someone’s hand. Modern computers are typically running millions, and often billions, of instructions each second from a variety of programs. A lot of those programs are interacting with each other and create an operating system (e.g., Windows, Mac OS, and Debian Linux).
At a lower level, the physical hardware components (such as the CPU, RAM, hard drive, keyboard, and monitor) form a system that enables computers to run those millions or billions of instructions each second. This physical system then joins with the operating system, allowing computers to work the way they do. Because computers are systems, troubleshooting problems when they arise can be difficult — when a program or piece of equipment isn’t working, the problem may actually stem from another, misconfigured program or a failing piece of hardware.
In this way, fixing a computer problem is akin to a doctor diagnosing an illness based on a set of symptoms — a headache may be caused by a cold, muscle tension in the neck, or a brain tumor (this is why being on tech. support can last so long; but just like doctors, there are competent and incompetent tech. professionals).
Most computers don’t interact with just themselves — most computers send/retrieve information with other computers (i.e., networking). They do this through sets of rules called protocols. The most common protocol you use everyday is IP (Internet Protocol), and it dictates a lot of how the internet works. There are many other protocols (e.g., FTP, TCP/UDP, and SSH) that are used independent of or with IP, but I won’t discuss those here. Using these protocols, computers owned by individuals and organizations connect with each other and form the internet.
This video and accompanying learning module from Khan Academy explain more about how computer networks and the internet function.
Main Cybersecurity Risks
This section covers three main areas of risk people face (Digital, Physical and Social Engineering).
— Digital (aka ‘Hacking’) Risks —
This section discusses 5 common risks and solutions to those risks that you and I encounter on a regular basis.
1. Weak Passwords
Weak passwords mean an attacker can easily brute-force your passwords to gain access to your account. When data breaches occur that contain peoples’ usernames and passwords, the problem is that those leaked passwords are used in future attacks. Password attacks account for variants, like cheese, ch33s3 and che3se123. All of those are easily guessed.
Cracking passwords boils down to statistical probabilities and time (and ideally encryption). This means that the stregth of your password is a combination of length and character set (letters, numbers, and symbols). Statistically, the avg. number of attempts needed to guess your password is (Character Set ^ length)/2. The amount of time to crack a password depends on how many guesses/second the attacker can make.
Guesses over the internet range in 100's/sec., while offline guesses can easily reach billions/sec. (yes, with a “b”) One security expert was able to crack 350 billion guesses/sec. in 2012, and as of 2013 the NSA was purportedly capable of one trillion guesses/sec.
By clicking these links, you can see how quickly passwords can be guessed online/offline and lists of the 1 million most common passwords and several million other passwords. Who knows, maybe one of your current passwords is on one of those lists? (fyi, some of the lists will take awhile to load if you click to view them)
Solutions to Weak Passwords
1. Use passphrases — they’re easier to remember, longer, and harder to crack than passwords
2. Use a password manager
You can learn how to do these things on my other website, introtosecurity.com (no ads on that site)
2. Outdated Software
If your applications or operating system (e.g., Windows, Mac OS, Linux distro, iOS and Android) are out-of-date, they’re very likely susceptible to an attack
that could let an attacker get full-access to your computer, even if they’re on the other side of the world. Zero Days and other exploits exists in old software and are discovered as new programs/updates come out. This is why updating your computer is extremely important.
Solution to Outdated Software
Update your applications, programs and operating system in a timely manner.
Updates can be annoying, so consider updating at a convenient time, like during dinner, when you’re showing or at bedtime.
Phishing is where an attacker attempts to get sensitive information directly from you. This information is commonly usernames/passwords, credit card information, and other types of personal information.
These types of attacks come most commonly in the form of emails. The email can be personalized and look like it’s from your bank (or any other organization) or include links to fake login portals, exactly mirroring the legitimate login portal (these are easy for an experienced attacker to setup).
To help determine if a site is fake or real, look at the URL* (the address in the bar at the top of your web browser). URL’s look like site.name.com (or .org, .edu, etc.) The main name of the company will be at the end of the URL (name.com). Anything before the name is legitimate (like login.name.com). Let’s use Facebook as an example. A legitimate Facebook URL will look like facebook.com or login.facebook.com (always ending in facebook.com). A fake address will look like facebook.xyz.com
*This isn’t a fool-proof method, though. URL’s can still be made to look just like the real address. To determine if it’s real, 1) check if there’s a green lock icon to the left (i.e., the site is in HTTPS), and/or 2) copy everything in the URL and paste it into a document. If you see things like “< script > “ or odd-looking things in the URL, type in the address you normally visit and/or contact customer support.
In sum, if you get an email with a link to your bank or other sensitive online account, don’t click on the link — enter in the URL you normally use and/or call customer service. Alternatively, you can inspect the URL to determine if the address is legitimate or a hoax.
Solutions to Phishing
1. Don’t click links in emails — enter in the address manually
2. Before entering passwords or other sensitive information online, make sure the URL is correct.
4. WiFi — At Your Home
If someone knows your WiFi password, they can conduct the same attacks as if your WiFi were a Public WiFi network. Even if you have a strong password, your WiFi is still vulnerable if you’re using weak encryption (i.e., WEP and WPA).
Solutions to WiFi — At Your Home
1. Use a strong WiFi password
5. WiFi — Public
Public WiFi leaves you open to WiFi Sniffing. This is where an attacker will gather all of the information on the network. In short, if you use your local coffee shop’s WiFi, any- and every-thing you do online can be viewed. This includes background data sent from your smartphone (if it’s connected). Unless your data is encrypted, this data is visible in plaintext.
Even if your data is encrypted, if the service you’re using doesn’t use strong enough encryption, attackers can still view your data. Powerful software like Wireshark are available for free and make WiFi sniffing possible. Other software lets attackers decrypt and view encrypted data.
Attackers can also conduct Man-in-the-Middle Attacks where the attacker can change information in-transit before/after you get/send it.
Another tactic attackers use is creating fake WiFi hotspots. These hotspots can be named similar to a legitimate one (e.g., Starbucks_Wifi vs Starbucks_WiFi) or even be the same name — there’s absolutely nothing preventing them from doing that. (Each device broadcasting a WiFi hotspot can be named whatever the creator wants it to be. While you wouldn’t want to name your WiFi the same as your neighbor’s, an attacker may very well want to do so.)
Solutions to WiFi — Public
1. Use a VPN (a way to securely view over the internet)
2. Visit websites in HTTPS (HTTPS Everywhere is a great browser extension that automatically forces this to happen).
3. Double check WiFi hotspot names before connecting
— Physical Risks—
If an attacker physically gains access to your device, it’s game over. They can brute force your password or use exploits to bypass security measures, gaining access to your data. This is why iPhone and Android logins only permit a certain number of login attempts — this slows the attacker down.
If your password is strong enough, that may make cracking your password in a reasonable amount of time impossible. And if too many incorrect attempts are made, the phone’s data will be erased (or your password deleted, leaving your data encrypted — for all intents and purposes, deleted), reasonably protecting your data (although if improperly erased, the data can still be extracted — I’ve done it before, but in legal & ethical settings).
Solutions to Physical Risks
Ensure your devices are encrypted (most phones now are, by default) and use strong passwords.
— Social Engineering Risks —
A security system is only as strong as its weakest link, and humans are often that weakest link. Social Engineers abuse trust to manipulate people into revealing information or granting unauthorized access to accounts and physical locations. Social engineering can be surprisingly easy to do and, in conjunction with humans frequently being the weakest link in security frameworks, the best hackers will often use this as their primary “hacking” tool.
For instance, in this video, a reporter asked hackers to hack his life. Right in front of him, one of the hackers called his phone provider’s customer service hotline and, while talking to a company representative, got full access to his account, added a new account, and had the password changed. This is not by any means uncommon or unusual.
One of the world’s most expert social engineers and hackers, Kevin Mitnick, was at one point being hunted down by the FBI. He evaded them for quite some time by tapping the FBI’s communication networks and finding out what they were going to do next to get him. His ability to do this involved a lot of social engineering.
If you want to learn more about social engineering and/or Mitnick’s story, I recommend reading Ghost in the Wires (you can also see Mitnick doing a live social engineering attack at Defcon, a hacking convention).
Solutions to Social Engineering Risks
Social Engineering may be the most difficult to defend against.
1. Stay vigilant
2. Use common sense (e.g., if something’s too good to be true, it’s probably a scam)
3. Don’t give away your passwords, especially over the phone/texting (If your partner/spouse needs your password, then that’s fine. Just avoid giving it away to strangers & people you don’t trust)
Government & Privacy
This section discusses encryption, mass surveillance, cyberweapons, privacy and government regulations. It also highlights issues frequently brought up in the news.
The art of encryption arose as people felt the need to protect documents from prying eyes. These cryptographers discovered methods to encrypt their data, but eventually someone would figure out how to decrypt those documents and any document using that particular method. Figuring out how to unravel these methods of encryption could take centuries (e.g., the Caesar Cipher) or just a few years (e.g., the Nazi’s Enigma machine).
Today, encryption is an integral part of life, and it keeps our data safe as it travels over the internet. Without encryption, services like online shopping or online banking would be impractical because anyone could see your credit card or banking info. (You can watch this video to learn more about how encryption works over the internet and this video for encryption in general.) It is also used to keep people from viewing data on your smartphone or laptop, so long as they don’t have/can’t guess the password. The latter use case has made it difficult for law enforcement to view data on criminals’ devices (if they’re encrypted). The most recent, high-profile case was Apple v. FBI. In this case, the FBI needed to gain access to a deceased terrorist’s iPhone but was enable to because the phone was encrypted. The FBI calls this problem Going Dark. Attempting to solve this problem, law enforcement officials and politicans are called on Apple to create a backdoor that only law enforcement could use and no one else.
Cryptography, however, doesn’t work this way. Modern cipers are mathematical algorithms, and if you create a way for one group to break an algorithm, you create it for every group (good and bad). In other words, creating a unique backdoor for law enforcement means making everyone’s data insecure and open to the eavesdroppers, criminals, etc., and may cause more problems than it solves. (I won’t get into the math, but if you want to learn more about it, you can watch this Khan Academy module or read The Code Book, which covers the history (and math) of encryption from Ancient Egypt to quantum cryptography.) A unique backdoor may be possible, but according to our current understanding of the laws of mathematics, this is mathematically impossible. As a result, if we create a backdoor for one person, we create a backdoor for everyone else.
It’s possible that the NSA, which employees more mathematicians than any other organization on earth, has discovered a way to do this. But due to the nature of their work, they can’t (and shouldn’t) share their discoveries.
Instead, we need to find solutions to the problem. This requires first defining what the problem ultimately is and then brainstorming ways to solve that problem. That includes weighing consequences, intended and unintended, of those solutions.
Since at least 9/11, the United States and many other countries (both democratic and authoritarian) have been conducting mass surveillance programs, often in the name of national security. In the US, a White House report found that these programs have done little to prevent terrorist attacks (see here and here). What these programs do result in is a loss of privacy, a declared natural right by the UN. They have also been declared illegal by a European Union court. The topic and scope of mass surveillance is so broad that it can’t be fully discussed on this site. What I will do is talk about a few of the US government’s capabilities and consequences of these programs.
— Capabilities —
Led by the NSA in America, the US has the capability to essentially monitor any and every conversation you have, unless you take precautions to guard against it. If you’ve ever sent an email, visited a website, texted, made a phone call — the NSA more than likely has a record of that. The government can view anyone through webcams (even if you think they’re off), and NSA employees have inappropriately spied on women.
The government has claimed that with phone calls, they only collect metadata (who/when you called, call duration, etc.) and not the actual conversation. Metadata, however, is actually extremely useful in law enforcement, and a lot of information, even personal, can be gleened from it.
In sum, if you have any interaction on a computer or are near one, there’s a possibility that the NSA or another spy agency (like Britain’s GCHQ) is either passively or actively monitoring your activities, with or without a warrant.
This video by John Oliver does a great job talking more about Mass Surveillance.
— Consequences —
Knowing governments (and corporations) are surveilling their activities, people are adjusting their online activities. In other words, people are beginning to self-censor. The consequences of this include:
- Restrained or false expression of opinion
- Reduced creativity
- Easily stifled dissent by governments
In addition to the United States, Great Britain, and several other nations have set up their surveillance programs in such a way that democratic societies could be turned into full-fledged surveillance states with the flip of a switch. And because we’re gathering data on every single activity of every single person, if a leader or entire nation one day decides that they don’t like a certain demographic or anyone who’s ever searched for, say, paintings of boats, they can find out who that person is. So if you searched even once for a boat painting, even if you weren’t actually interested in it, you’d be profiled and whatever actions the leader/nation deemed appropriate would be taken against you. Technology has given us unprecedented ways to stop and combat crime, from criminal databases to real-time location monitoring. These new technologies, however well-intentioned, do have consequences. As a society, we need to take these into consideration and ask ourselves if these mass surveillance programs, which aren’t even effective, are worth their impact on society.
In 2010, security researchers came upon an odd piece of malware causing computers to crash and reboot. Throughout the course of their investigation, they would find it to be the first of its kind. Rather than stealing or recording data, the malware (known as Stuxnet) was designed to physically destroy a specific target — centrifuges at a nuclear reactor in Natant, Iran. It is believed that the US and Israel created the malware.
A cyberweapon, like Stuxnet, is malware created by APT’s to conduct espionage or physically attack, typically against a specific target. Since 2010, additional cyberweapons have been discovered all over the world. It’s believed cyberweapons are in critical infrastructure systems in many nations. This has been backed by anonymous NSA employees reports that the United States controls all of Iran’s civilian and military infrastructure — dams, electric plants, nuclear reactors, telecom. networks, et. al. a Part of Ukraine’s power grid was shut down in Dec. 2015 by a cyber attack and possibly once again a year later.
Cyberweapons are immensely dangerous for several reasons:
- They can destroy critical infrastructure, meaning millions of people could be left without electricity, water, and other necessities for months or years
- Attribution is difficult to determine. False footprints can be easily left behind.
- Once a piece of malware is publicly known, anyone in the world can use it — APT’s to security researchers to individual, rogue hackers.
Privacy is a fundamental part of a free society. In order to have free expression of ideas and beliefs, individuals need to be able to confidentially discuss their thoughts and make mistakes. Imagine how you would behave if you knew every thought and action you make would end up on social media? Because corporations and governments are monitoring peoples’ actions, individuals are adjusting their behaviors. (See above for more discussion on this.)
Not all consequences of less privacy are bad. When used appropriately by law enforcement, illegal activities are stopped. And in the corporate sphere, personalized services improve our lives. For example, Nest thermometer will learn your preferences to automatically adjust your thermostat, and Google’s personal assistant will search through your email to identify flight information, later giving you updates on that flight. And marketers can direct ads at their target groups rather than at everyone.
In recent years, however, people have lost trust in governments and organizations to respect their privacy. As a result, many countries are now passing privacy laws. The most notable one is the EU’s GDPR, which I discuss here.
The Internet of Things (IoT) poses new opportunities and challenges. One of the challenges is that technology now has the capability to physically harm or kill. Because of this, and other problems no single person or business can solve, regulations will need to be implemented.
One example is managing security updates for IoT devices? On one hand, we want to make sure the bug is fixed asap, but on the other hand we need to make sure the update won’t cause further problems (e.g., the role of the FDA with prescriptions). It’s better that we make these regulations now than make rash decisions right after a disaster.
Additionally, many companies are proving themselves untrustworthy stewards of peoples’ data. In the last couple of years, we’ve seen many regulations around the world passed (e.g., Russia, Canada, GDPR in the EU, etc.). Going forward, we’re going to see more privacy & cybersecurity laws enacted around the world.
Your ability to lower your exposure to cyber risks depends on the habits and security mindset you develop. Nothing will ever keep you 100% safe — getting hacked or having your credit card information stolen is as likely as you getting physically ill. But like good health habits, you can keep yourself safe online by:
- Understanding the basics of technology
- Knowing the risk landscape
- Staying informed
- Using appropriate tools
This article has focused on helping you understand the first two bullet points. Listed below, in the resource section, are reputable security news sites/blogs and tools you can utilize.
And once again, if you have any questions, please feel free to contact me.
This section lists resources and tools you can use to become safer, stay informed, and learn more. Many of these resources have been cited on the rest of the site.
Movies & Videos
- Zero Days
- CitizenFour (HBO | Amazon)
- John Oliver: Mass Surveillance
- John Oliver: Encryption
- The Conversation (Amazon | Netflix)
- The Lives of Others
- What Happens When You Dare Expert Hackers To Hack You
- Countdown to Zero Day
- Ghost in the Wires
- The Art of Deception
- The Art of Intrusion
- Social Engineering
- Spam Nation
- The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography
- Data and Goliath
- Secrets and Lies
- Liars and Outliers
- Beyond Fear
- The Cuckoo’s Egg
- Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground
- Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age
- Dragnet Nation
- Nothing to Hide
- Password Managers
- Passwords: 350 billion guesses/second
- Passwords: NSA 1 trillion guesses/second
- Passwords: Lists of Passwords
- Passwords: How LinkedIn’s password sloppiness hurts us all
- Passwords: Why passwords have never been weaker
- Man-in-the-Middle (MITM) Attack
- Zero Days
- FBI paid $1.3 million to get into iPhone
- Dr. Anthony Vance’s Site
- Caesar Cipher
- Nazi’s Enigma Machine
- Going Dark
- Ineffectiveness of NSA Surveillance | ProPublica
- Ineffectiveness of NSA Surveillance | NBC News
- UN Declaration of Human Rights
- UN Right to Privacy in the Digital Age
- EU’s Highest Court Declares UK Surveillance Powers Illegal
- Metadata: Definition
- Metadata: Vital for Crime Fighting
- Metadata: Why it Matters (EFF)
- Punishment of Whistleblowers
- Obama’s War on Whistleblowers | The Washington Post
- Obama’s War on Whistleblowers | The Guardian
- The Chilling Effects of Surveillance
- The Harms of Surveillance to Privacy, Expression and Association
- How Surveillance Changes People’s Behavior
- Ukraine’s Hacked Power Grid (2015)
- Ukraine’s Possibly Hacked Power Grid (2016)
- It’s not Privacy vs. Security
- The TSA is in the Business of Security Theater, Not Security
- Security Theater
- Privacy Shield
- Need for Government Regulations in Tech.
Software & Apps
- Signal (secure SMS | Android & iOS)
- LastPass (Mac, Windows, Linux, iOS, and Android — also available as browser extension)
- 1Password (Mac, Windows, iOS, and Android)
- zxcvbn Password Tester
- LastPass (Chrome, Firefox, Opera, Internet Explorer, and Maxthon — also available as an app.)
- HTTPS Everywhere
- Privacy Badger
- Lightbeam (Firefox only)
Modified version of a version published at andrewnsanford.com