Saturday, February 20, 2016

Five step guide to keeping yourself secure online

Five steps to take to keep yourself secure online based on how attackers actually operate. Do these 5 steps consistently and you will be well-protected against many of the online threats.

Threat Model: for this article, I'm assuming that the threat the user is facing is the standard cyber criminal one, e.g., Dyre, Dridex, Pony, CryptoLocker/CryptoWall and the associated spam/phishing campaigns and exploit kits which deploy them. If you are legitimately concerned about nation state adversaries, then you should know better to be taking advice from random blogs on the Internet!

#1 Don't click on suspicious links and don't open unsolicted attachments

Attackers like to use Exploit Kits to compromise users to distribute malware. Malware for normal users is often either Ransomware (like CryptoLocker/CryptoWall) which encrypts your files and holds the decryption keys for ransom (typically BitCoin) or credential-stealing malware (like Pony) which attempt to harvest your usernames and passwords. Exploit Kits are typically deployed to compromised legitimate websites or Ad networks. They profile your web browser looking for vulnerable software and plugins which they then exploit to drop malware. Anti Virus can sometimes catch this stuff but it's more effective to not visit suspicious site (#1), use an ad-blocker (#5) and patch your system, especially your browser plugins (#2).

Targeted attacks (which can be an issue if you work somewhere "interesting") and some spam campaigns will attempt to drop malware onto your system by tricking you into opening a malicious attachment (a.k.a, (Spear)phishing). You can be compromised either if you are running document software which is vulnerable to exploitation (e.g., old versions of Adobe PDF Reader or MS Office) or if you are tricked into enabling dynamic content like Macros (MS Office) or JavaScript (PDF). Don't ever enable Macros in an MS Office document. Just don't.

Suspicious links can be links to sites you don't know or don't normally visit. They can be links which closely resemble a site you trust (this is called typo-squatting). If you are suspicious of a link, you can try URLquery or Phishtank to see if other people have flagged the link as malicious. Best not to click anyway if you're unsure!

#2 Patch/Update your systems (and make backups!)

In order to drop malware onto your system, an attacker will need you to execute code on their behalf. Typically, you don't want to do this so your Operating System and applications will have protections against attackers injecting code into them. These protections sometimes fail and that causes a vulnerability. Some vulnerabilities can be exploited by an attacker to run code your system. When vendors catch these vulnerabilities, they often patch them thereby making it harder for an attacker to exploit your system. Indeed, most attacks leverage known vulnerabilities. So, patch everything! That means:
  • Browser plugins (these are the BIGGEST targets for attackers, especially Flash (better yet, uninstall it and use HTML5 video) but also Java and Silverlight (again, my preference is to simply uninstall, you hopefully don't need them anymore), you MUST have your browser plugins updated)
  • Operating System (Windows, Mac, Linux) - even better to enable automatic updates
  • Browsers (Firefox or Chrome - don't use IE or Safari)
  • Applications (MS Office & Adobe Reader are the main culprits here)
  • Servers that you run which are connected to the Internet (in particular any CMS like WordPress or Drupal that you use for personal web pages, photo sharing, etc.)
  • Mobile devices (Android is terrible for this, iOS is much better) and their applications (e.g., Google Play Store or iTunes)
  • Anything else you can lay your hands on (BluRay players, whatever...)
Making backups (Window Backup, Time Machine on the Mac, Déjà Dup on Ubuntu) also helps to protect you against certain types of Ransomware which don't encrypt attached storage devices.Most Ransomware targets Windows systems, but it's a good idea to keep backups no matter which platform you're using.

Bonus tip: don't run as Administrator/root. UAC & sudo are there for a reason! Increase attacker costs!


#3 Use strong, unique passwords for each site (use a password manager)

Attackers love to reuse your passwords. Attackers love to guess your weak password by using wordlists full of common passwords. The typical workflow is to break into some poorly-secured website (like a forum site) and grab all the passwords. Once the passwords have been uncovered from the password hashes (how passwords are stored internally by the server), the passwords are then reused against high-profile sites like Google, Facebook, Amazon, PayPal, etc. The weaker the passwords are, the less work the attackers need to do. The more widely reused a password is, the greater the exposure.
The solution is to use long, complex (upper case, lower case, numbers & special characters - not based on a dictionary word), unique passwords for each site. This means that if an attacker gains access to a site that you use, they might not be able to break your password as it's not a common one that can be easily guessed. If they do guess it somehow, it won't give them access to any other site used by you. This is a good thing.
In reality, it's simply too hard for a human to do this, so you need to use a handy bit of software called a Password Manager to manage these long, complex, unique passwords for you. I use LastPass. But 1pass or any other well-known Password Manager will do the job nicely.


#4 Use Two Factor Authentication

Also known as Multi Factor Authentication. It basically means that there is an additional authentication step which needs to be taken before you can login with a username/password. You may be familiar with hardware tokens issued by banks which provide you with a one-time password (a temporary password that is only used once) to authenticate yourself with. This is a strong security control as not only does an attacker need to have access to your username & password, but also to however you do your Two Factor Authentication, typically your mobile phone. Effectively you can give out your username & password or have it stolen via the Pony malware (#3) and an attacker still won't be able to login as you.
Google Authenticator works pretty well. Facebook and Twitter also support Two Factor Authentication and Amazon is in the process of rolling it out. Use it.


 #5 Use an Ad-Blocker 

Exploit Kits (#1) are often distributed through online adverts (a.k.a., malvertising - often exploiting Flash (#2)). Nobody likes adverts anyway, so just block them. I use uBlock Origin for Firefox & Chrome (don't use IE or Safari anyway). This protects you from attackers and makes your web experience much more pleasant. Win-win!


A Word on Anti-Virus

They're better than nothing. Marginally. So you should use one. Kaspersky is pretty much the best. But in terms of keeping yourself safe from how attackers actually attack in the real-world, I believe that the above 5 steps are more useful.
If you're a power Windows user, you should be using EMET.

Further Reading