Alan Henry | lifehacker
We’re no strangers to helping you secure your computer, but there are some computer security myths and stories that keep getting passed around, even though they’re clearly not true. We sat down with a few computer security experts to separate fact from fiction.
A few weeks ago, Wired shared their five biggest cybersecurity myths and the truth behind them. Their list is good, but we thought there had to be some computer security stories that everyday users still believe, even though they’ve either been long debunked, or because they keep getting spread around.
We sat down with computer security and forensics experts Frederick Lane and Peter Theobald to get to the truth behind some security myths we’ve all heard on a regular basis.
Myth #1: No One Would Want To Hack Me, I Don’t Have Anything Worth Taking
This one comes in many forms, but it’s often referred to as “security through obscurity.” The idea is that because the internet is vast and the odds are in your favor, you’ll never be targeted—and even if you were, you don’t have any personal data of value on your computer worth taking. This one is pretty common, and both of our experts noted that they’ve heard this before.
The problem with playing the odds is that, of course, it only takes one bad roll to ruin your day. While it’s true that most of us don’t have to worry about being specifically targeted, the most common threats aren’t the ones that target you specifically—they’re internet-wide fishing expeditions by automated bots looking for vulnerable computers and networks. Similarly, it may not be your data someone wants—it’s your vulnerable, broadband-connected PC. Your computer is the valuable asset, Frederick Lane explains:
The device itself (or the storage space on it) is potentially useful to a hacker as a remote storage unit for contraband materials (i.e., child pornography), or as a zombie/slave in coordinated denial-of-service (DOS) attacks on Web sites.
Even if you don’t think your data is valuable, keep in mind that any personal or financial information is valuable to a potential identity thief. Bits and pieces can be assembled with other information from other sources to make a complete picture. In this case, a little prevention goes a long way, especially considering that recovering from identity theft is a long, arduous process that can take years. There’s no reason to put yourself at risk when even a little protection can make sure you never have to trust the odds.
Myth #2: Services Like Tor and VPNs Make Me Completely Anonymous
We love Tor, the service that disguises your web browsing so you stay anonymous. We’ve even showed you how to use it to protect yourself. The same is true for VPNs—we’ve explained why you should have one, and even some good ones to try. However, it’s important to note that both services are only as smart as the person using them. Both are great tools at what they do, but remember: They’re just tools. Lane explains:
[I’ve heard that] If I use Tor, no one can figure out what I’m doing. Tell that to the Harvard kid who logged into TOR on a campus computer to post a bomb threat last December, only to be stunned when law enforcement and Harvard IT employees were able to identify the computers that were used to access the network within a given time frame. They narrowed the suspects down to one who actually had a final, and when they showed up at his door, he confessed (no doubt out of shock). It is REALLY hard to be completely anonymous online.
Lane is right. Eldo Kim used Tor to post bomb threats in December of 2013 in an attempt to delay final exams at Harvard. He would have gotten away with it too, had he not left a trail of other evidence that led the FBI to his door, including the fact that he used Tor from the Harvard wireless network. Had he used a VPN, he may have had a bit more protection—but VPNs are designed for security—not anonymity. The chain of evidence would have led back to him eventually.
Bottom line: Remember that services like Tor and your favorite VPN are great for protecting your identity and security on the internet, but they’re not foolproof. Tor offers incredible anonymity from companies that harvest your data, your ISP, and even the government to a degree. A VPN encrypts all of your traffic so you can be sure your communications are secure from prying eyes or snoops. However, in both cases what you do can give you away, you’re still riding someone else’s network, and someone skilled and determined enough to decrypt or log your activity can do so. We still believe Tor and a good VPN should be tools in your security arsenal, but if you think they’re all it takes to be completely secure and anonymous, think again.
Myth #3: MAC Filtering and Disabling SSID Broadcast Is Enough Protection For My Wi-Fi Network
Most of us know better than to leave our Wi-Fi networks open to the world, but wireless security isn’t something you should trust to obscurity. We still see people who leave Wi-Fi networks unencrypted, and instead hide their SSID or use MAC filtering to “secure” them. Unfortunately, while these methods may deter non-technical passers-by, it won’t stop anyone with technical knowhow. Theobald explains:
Hiding your wireless network’s SSID is a mostly useless attempt at security. It may keep your nosy neighbor from seeing the name of your network, but as soon as you use your wireless network, you send your SSID name over the air anyway. In addition, hiding your SSID makes it more painful for your own computers and devices to connect to it. Hiding your SSID will make it difficult for legitimate users and won’t stop any hackers. So go ahead and display your SSID, and while you’re at it have some fun and scare the neighbors by naming your network “NSA_MobileTappingStation”.
Don’t run your wireless network unencrypted and don’t use the obsolete WEP encryption standard. It can now be cracked in seconds with simple, free-to-download tools. The best encryption standard to use is WPA2. While not perfect, it is the best available. Use a good long password that isn’t in the dictionary for better security.
Some wireless routers have an option to let you list all of the MAC addresses, which are similar to a serial number for your devices, that will be allowed to connect to your router. If you don’t mind the additional housekeeping of keeping track of your devices’ MAC addresses and your visiting friends and relatives devices’ MAC addresses there is no harm in using this setting to add another obstacle to hackers. It won’t stop a persistent hacker though, as they can watch your wireless traffic and see what MAC addresses you are using, then spoof one of those to gain access.
Lane agreed, and noted that easily available Wi-Fi scanning tools like Kismet can pull hidden SSIDs and MAC addresses out of the air. He also reiterated that WPA2 was the way to go. We’ve shown you how easy it is to hack WEP and WPA. As for MAC spoofing, you know how easy that can be. While these methods may be useful in addition to a properly secured Wi-Fi network, they’re not security on their own.
Myth #4: Incognito Mode Protects My Privacy
Actually, Incognito mode can protect your privacy—but only from other people using your computer. It’s not actually a privacy tool that protects you from the rest of the internet. Even though you’re warned each time you open an Incognito window, many people still think that browsing in Incognito mode means they can’t be tracked, their ISP can’t see what they’re browsing, or they’re somehow anonymous to the party on the other end of their connection. None of those things are the case.
Google explains in their FAQ (linked on every Incognito tab) that the sites you visit may still have records of your visit, and anything downloaded from those sites (including cookies, in some cases) will remain. Firefox has a similar FAQ on each Private Browsing tab. So, for example, if you log in to your Google account while browsing in Incognito mode, your Google Searches will still be saved in your web history. If you allow extensions to run in Incognito, any information they record or transmit will persist as well.
Perhaps most importantly, Lane explained that the sites or webapps you visit downstream still know who you are, have your IP address (and can match it to previous or future sessions) and can keep track of what you do while there. On mobile devices, Incognito mode may offer even less protection than on the desktop. Superuser has a great thread on this topic as well.
Myth #5: I Don’t Need Anti-Malware Tools, I Don’t Do Anything Risky
Perhaps the biggest and most persistent computer security myth we see is the idea that one person’s definition of “common sense” is all that’s required for everyone to stay secure—to the point where as long as you have it, you don’t need anti-malware or antivirus at all. We’ve talked about the difference between the two, and made our own recommendation: Namely, that good internet hygeine is the most important thing, above and beyond the security tool you use, but you should still have a security tool. Says Theobald:
Secure computing, just safe driving, doesn’t just depend on your habits. It depends on the habits of everyone else as well. Recently it was found that hackers had managed to put the ‘Styx exploit’ into advertisements that were shown on YouTube. Anyone who viewed a YouTube page with those ads had their computer attacked and possibly infected with the Styx virus. So you could have been only visiting “safe” websites, but even YouTube got hacked! The only defenses to these “drive-by” viruses is to update your operating system and software frequently to get the latest security patches and run anti-virus software. If you want to be more proactive you can be even safer with software like NoScript and Privoxy which give you great security at the cost of more hassle.
Both of our experts agreed on this point, and added that while malware doesn’t exactly make news these days, that doesn’t mean it’s not a significant threat. Similarly, malware today is often designed to avoid detection (unless we’re talking about something like CryptoLocker or other ransomware, which specifically wants you to notice it). Like we mentioned earlier, the goal is to use your computer as a resource, a zombie in a botnet, a Bitcoin mining machine, or a storage locker—as well as quietly harvest data while it’s running. You may also remember the whole Chrome extension malware fiasco from a few months back. You may never know something you thought was reasonable on your system is behaving badly until it’s too late for “common sense.”
That aside, it’s fair to say that all of us likely do a few things off-color with our computers, and even if you’re sure that you don’t visit anything “risky” or have tools in place to protect yourself, it’s important to have the right tools at your disposal just in case.
To be sure, none of these myths are perfectly false, but in the vast majority of cases putting faith in them only puts you and your data at risk. Instead, take the initiative to secure yourself or learn a little more about computer security, and you’ll be in a far better position than someone who’s playing the odds or relying on their own confidence to get them by.
Frederick Lane is an author, attorney, educational consultant, expert witness, and lecturer who has appeared on The Daily Show, CNN, NBC, ABC, CBS, the BBC, and MSNBC. He has written seven books, including most recently “Cybertraps for the Young.” All of his books are available on Amazon or through his Web site. You can follow him on Twitter at @fsl3, or at Computer Forensics Digest.
Peter Theobald a Computer Forensics expert and president of TCForensics.com. He spends most of his time finding things that were supposed to have been deleted.
Both gentlemen offered their expertise for this piece, and we thank them.
