When it comes to being safe from hackers, we could all take steps to do better, myself included.
Less than a month into my new job covering cybersecurity, my personal site was hacked because I had failed to update some forgotten software for two years. It was a glaring hole with an easy fix, but it got me thinking: What does it take to be completely secure? What would I need to do that I wouldn’t have to in order to never worry about hackers again? Is being completely secure even possible?
It’s a fair question at a time when hackers are stepping up their activities against retail and government entities. Hack after hack has stolen sensitive personal information such as credit card numbers and Social Security numbers — information that can be used to steal identities — and other data that could possibly compromise confidential military information.
There’s no better time to step up your security game than just before heading to Defcon, an annual congregation of hackers in Las Vegas. It’s a great testing ground, because hacking is sport here.
Mission impossible: Safety at Defcon
Defcon organizers warn journalists that wireless Internet at the conference is “profoundly hostile,” so I turned off almost all the communications technology on my phone and computer for the weekend. I’m not even using my own computer.
This seems the least I can do at a conference with sessions that discuss “leveraging dynamic loading to pwn n00bs.” In regular English, that means, “here’s a tool to break in to the computers of morons.”
And most of us are the morons, I’ve learned.
Like most of you, I’m not a security expert. I’ve been sent here as an emissary from the world of n00bs (or “newbies”), which essentially feels like dangling from a hook. I was very excited about the “secure messaging for normal people” session, but based on how many programming puns flew over my head, I’m not sure I fit the definition of “normal.”
Mission still impossible: Staying safe in regular life
The finer points of evading hacking through Wi-Fi are a ready topic of conversation here, but that’s — of course — not the only way to get hacked. Opening the wrong email or clicking a bad online advertisement is all it takes to allow the bad guys’ code onto my computer to steal files and take control of my laptop’s camera (which is covered up correctly, in case you get any bright ideas).
So if I wanted to stay as safe as possible, I would never use Wi-Fi. Experts say most Wi-Fi isn’t trustworthy, particularly if it’s accessible to the public. When you walk around with your phone’s Wi-Fi turned on, your device constantly “probes” for the nearest signal. You’ve turned your phone into a wandering baby bird, who walks around with a giant name tag asking every signal it finds, “Are you my mother?” Hackers are walking around trying to scoop up those signals.
Not using Wi-Fi isn’t an option in my work life, and would be really inconvenient in my personal life. But I compromise by keeping my cell phone’s Wi-Fi off unless I’m at home.
I also try to avoid email-based attacks. Called phishing emails, they’re emails that seem legitimate but actually contain hacking code or a link to a fake website. So, don’t click on links from unknown senders (and be aware that Internet ads might be malware in disguise). Click at your own peril.
This also means I had to give up my favorite pastime of clicking “unsubscribe” on email newsletters. The sender could be a hacker pretending to be a newsletter from a restaurant where I just ate, hoping to infiltrate my computer with malware by getting me to click on a link in the email. Instead of clicking the unsubscribe link, I’ve learned how to filter and automatically delete unwanted emails instead. It’s basically the same as unsubscribing, but safer.
But, as a recently revealed flaw in Google’s Android software shows, some phishing attacks can get harmful software on your phone whether or not you click on the file. The flaw, called Stagefright, means anyone using text messaging on an Android phone is at risk. I don’t know about you, but I use text messaging.
What about passwords? Experts say I’m supposed to use different passwords for every site I visit. That’s not easy, so in the meantime I’m using a stopgap measure called two-factor authentication. To log in, I enter a username and password, but then I’m also sent a text message that contains a code I have to enter to complete the process. So, for a hacker to log in as me, they’d need to have not only my username and password for that site, but also access to my mobile device in order to get the code that’s sent.
So, I’m doing OK, right?
I updated all the apps on my phone and all the software on my computer, too, so everything is patched up really tight.
“That’s nice,” hackers tell me. But what about zero-day exploits? Those are hacking attacks that take advantage of security holes software companies don’t know about or haven’t fixed yet (and I think a few people here know about some of those).
What’s more, the hackers here at Defcon are almost blase about these sorts of everyday hacks. Topics I’ve already discussed or plan to learn about from experts in the next couple of days include hacked satellites, hacked military rifles, hacked medical devices, hacked cars, and hacked computers that aren’t even connected to the Internet.
That’s right. Recently researchers at the Cyber Security Research Center at Israel’s Ben-Gurion University of the Negev announced that they hacked an “air gapped” computer, meaning they successfully attacked a computer that’s hasn’t once touched the Internet. They used a phone network and electromagnetic waves to compromise the computer using a cell phone.
It’s enough to make me want to move in to a Faraday cage, which is a box built to block radio signals and resist electromagnetic waves.
It’s all pretty exhausting, and researchers say this is just the beginner-level stuff.
The message is that you’re always simply “safer,” never safe.
So I’m sitting tight. The secure messaging demonstration is about to begin. If only that were possible.