’Tis the Season (To Not Get Hacked!) — 2020 Edition
Tip and tricks to staying cybersafe in the new year
Time again for my annual list of information security tips and tricks for keeping your identity and information safe over the holidays and all year round.
With 2020 being the hot mess that it was and with so many now working from home if not out of a job, the opportunities for being exploited by criminals have greatly increased, and believe me when I say that those criminals are certainly taking advantage. Here’re some items to consider to keep yourself safe.
Thanks for reading Heuristic Security! Subscribe for free to receive new posts and support my work.
Beware of phishing scams! Phishing emails (fake emails that impersonate legitimate emails from friends and companies such as your bank) continue to be the primary way that businesses and consumers are defrauded or get infected with malicious software, for the simple reason that they work. Knowing the signs of a fake email is just as important for consumers as it is for businesses. If you are not aware of what they are, take a look at this free training. In addition, having an up-to-date anti-malware package on your PC and utilizing a phishing-protecting DNS for your network (both described below), will help warn you of potential phishing scams if you still click the bad link in an email (by accident of course).
Pick and use a password manager. As the endless data breaches in the news have shown; somewhere, somehow, your account information has likely already been stolen. If you are reusing passwords across different websites, as it appears most people do, then your account information being stolen on one site will expose you to countless others where you have reused the same credentials. A password manager allows you to easily create and use complex, random passwords across the websites you access, all protected by a single complex password or passphrase that you know and only use for the password manager itself (my suggestion, use an online passphrase generator to create your master password). I’ve tested several password managers including Dashlane and LastPass, but in the end, decided on 1Password. This is my top recommendation, especially if you are primarily using Apple devices (as I recommend below).
Update your computers! If your PC or Mac is not capable of running the latest operating systems for Windows (Windows 10) or Mac (Big Sur), then it’s time to buy yourself or your family a new computer for Christmas. Security is a constantly evolving field, and operating systems are constantly being updated to address the latest vulnerabilities and threats. If you are not current, you are not protected, and if you are current, make sure that the automatic updating features are enabled so that your computers keep themselves up to date. My recommendation if you are shopping for a new computer — get a Mac, or better yet an iPad if your needs are primarily browsing and email. With the latest changes from Apple with IOS 14, an iPad will meet the needs of the majority of casual users, and if you have any non-tech savvy relatives that you are the tech support for, you will make your life immensely easier by getting them an iPad and getting rid of their old PC. DO NOT get them an Android tablet just because it is cheaper! You will painfully learn the meaning of the phrase, “You get what you pay for” if you do.
Update your network! Personal computers are not the only pieces of equipment that need constant updating, your routers and whatever else you have on your network does as well. For network equipment (Wi-Fi routers for example), take advantage of the latest mesh Wi-Fi technology which will not only give you greater coverage and speed but will also automatically keep itself up to date with security patches. Eero’s Wi-Fi products are worth a look if you need to upgrade your network. If are you feeling more adventurous and are experienced with networking, you can try building our own sophisticated firewall for your home network using the recipes I provide in my book, Safer @ Home with pfSense. The ebook version is on sale for half off through the end of the year.
Update your mobile devices! Keeping your mobile devices up to date is just as important as keeping your PCs up to date. If you have an iPhone or Android, make sure it is running the latest version of the operating system available, and if it can’t be updated to it (a particular problem for Android phones), buy a new one or even better, switch to an iPhone. Here again, I am updating my advice to say that unless you have a specific reason that you must use Android or Windows devices due to particular software needs or you are an extreme gamer, then I suggest you buy Apple products. Your information will be much safer by default (there is a reason that Apple is the only company you hear about the FBI battling for access to devices — for Windows and Android, they already have it). In addition, the premium you pay for Apple products pays for itself with higher quality and a much longer useful lifetime compared to non-Apple products.
Turn on 2-factor authentication wherever it is available (LinkedIn, Twitter, Google, Apple, etc). Two-factor systems (which generate a confirmation code that you need to enter along with your user id and password to log on) are a strong additional layer of protection against your accounts getting hacked and can provide a warning that someone may be trying to get into your account without your knowledge. My preferred password manager, 1Password, also features it as an additional security measure for access to 1Password itself on new devices. If you have a choice between receiving an SMS text on your phone or using a local authenticator app on your phone, go with the authenticator app — it’s the more secure choice as there have been major hacks that have occurred where 2 factor SMS message systems have been compromised.
Whatever new device you get under the tree this year, make sure that you read the manual to understand what security features are available. All too often even when security controls are available in a product, they are not enabled by default. Enable them and whatever you do, please make sure to change the default password for the device (using the fancy new password manager you installed to generate a complex, random password). Don’t forget to use your password manager to generate a secure and random password for your home Wi-Fi network as well. One other simple step that can go a long way to protecting your information is to make sure that you do not use an account with administrator rights as your day-to-day PC account.
I’m skipping my recommendation to use VPN (Virtual Private Network) software this year because so few of us are traveling or are likely to be traveling in the new future. Instead, I recommend taking the time to clean your authorization attic by reviewing the websites that you have granted access to using your Google or Apple credentials. This technology, call OAuth, allows your credentials on one site to safely be used to grant you access to another. However, what I have found is that after time you are likely to have an attic full of websites that you have granted access to that you are no longer using. Clean out these credentials by going to Google Security Review and checking the section titled “Third-party apps with account access”. For Apple, go to Appleid.apple.com and check the App-Specific Passwords in the Security section. For both Apple and Google, if you no longer access these websites or services, delete them.
Now more than ever, a malware protection package for your PCs is a must-have, even if you are using Macs. The old antivirus products of the past are no match for today’s sophisticated malware. Ransomware and other sophisticated malware are all now designed to bypass detection by simple signature-based antivirus products — what you need is software that can keep up with these threats. PC Mag does an annual review of the options available — any of their 4-star and above-rated choices will be worth considering, and you can read the evaluations to pick the best one for you.
For those who are a bit more interested in twiddling with technology, take a look at the free products available that can protect your entire home network from malicious websites and phishing emails. While not a guarantee, they go a long way toward ensuring that the computers and devices on your home network can’t communicate with known websites that serve malicious software or support phishing attacks. In addition, depending on the product you use, they can protect your family against web content you do not want them to see such as porn or tasteless websites. My recommendation is the free family filters available from Cleanbrowsing.org, which can be used for your whole house by configuring your router or can be installed on individual PCs or mobile devices.
Speaking of protecting your family, Apple has now extended the family features in their mobile devices to Mac desktops and laptops as well. Restricting the amount of time you use (or allow your children to use) their devices for social reasons is one of the best things you can do for their mental health (or yours). In addition, to give a child any device without restrictions on what apps they can download or what sites they can browse, borders on child abuse and neglect, considering how much harmful information is targeted at children or is easily available to them. Apple’s screentime feature is a good first step toward putting restrictions in place.
Two is one, and one is none. This simple motto is a reminder that when it comes to protecting your data, there is no such thing as too many backups. As more and more of our memories and records transition to digital, making sure that you have backups of that data becomes ever more vital. Whether you are infected with ransomware, or simply have a hard drive crash on your main PC, at some point when you least expect it and most need it, you will lose your data. And without a backup (or multiple backups), it will be gone forever. My recommendation, make use of whatever backup features are available in your PC’s operating system (such as Apple’s Time Machine), and then supplement that with a commercial cloud backup product (such as Backblaze or Carbonite) that securely backs up your information to the cloud.
Be vigilant. Knowing that your online or financial accounts have been compromised is the most important step in being able to rectify the situation before it gets worse. If you don’t have credit monitoring already you can obtain it for free from CreditKarma.Com. To monitor your online accounts, signup at HaveIBeenPwned to receive alerts when your userid shows up in a report of breached accounts from a hacked website or company, or most password managers also provide this feature if the compromised account is one they maintain. 1Password includes a monitoring service that will alert you that you need to change the password for a company whose data has been stolen.
For financial information at least, prevent the problems before they occur by putting a credit freeze on your accounts at the credit bureaus. Following the Equifax debacle of a while back, Congress finally did something to help consumers and mandated that you can place and remove credit freezes at the credit bureaus for free. These freezes will help stop new accounts from being opened in your name until you remove the freeze. With this ability now being free and something that can be easily done through the bureau’s website or a mobile app they provide, there is no reason not to keep your credit profile frozen and unfreeze when needed. Updated details on how to freeze your credit are available here.
If you don’t already have an alarm system in your home or apartment, technology has now made it cheap enough that I recommend everyone consider adding it for their personal safety. Ring’s video monitoring doorbells and cameras are a great first step, not only providing real-time access wherever you are to who is outside, but also providing a mini-neighborhood watch function built into the service. Ring’s product suite includes a monitored alarm service and sensors as well as an incredibly low price point that practically everyone can afford. Another great purchase for peace of mind regarding your personal or family’s safety, though for privacy reasons I do not recommend placing any cameras inside your home that you cannot totally control.
Finally, be careful of scams. With the holidays, scammers come out in force. Whenever you see, hear or get an email about a deal that is too good to be true, it probably is. Shop safe and stay safe this holiday season.
That’s it! If you like this article, feel free to share it with your network, friends, and family. Be safe, be happy and I hope everyone has a wonderful holiday season this year in spite of the issues, and I hope that 2021 is better than 2020!