Consumer Cybersecurity 101

How not to catch a computer virus, and other protective measures


Disclaimer: The author of this article is not a cybersecurity specialist. Always do your own research; make your own informed decisions.

Nothing is ever 100% secure, regardless of what a service or device you use says. You always take a risk when using technology. Therefore, we should should be mindful to use technology only when we deem that the benefits will outweigh the drawbacks. Part of ensuring that balance relies on your actions when using technology. If the benefits are outweighed, detrimental consequences can ensue and you open yourself and those around you up to unnecessary risks.

The following couple thousand words will outline examples of common negligent behaviour and how to avoid them so that you can rest a bit more easily when you connect to the world.


Browser compartmentalisation is the name of the game

If you're anything like me, 99% of the time you spend on your personal computer is spent accessing the internet through your web browser of choice. When it comes to browsers, like with all software, you should be keeping up to date on the latest updates and security patches, and not be using unsupported browsers (I’m looking at you Netscape Navigator users).

I’m a big fan of using incognito mode when I want to reach sites I don’t need to be signed in to, since it blocks all third-party cookies, pauses my browsing history, and deletes my cache once I close it. But, the reality is, while good for some things, incognito mode is not the be-all and end-all solution to preventing tracking by the Googles, Facebooks, and Microsofts of the world.

Now you may then be thinking, “Well, what about ad blockers?”. Extensions like ad blockers can block some of the technologies websites need to function properly. Anyone who’s been warned by a site telling them to whitelist the site knows what I’m talking about.

What about VPNs? Well, other than providing you with a slower internet connection, being ousted by specific blockades such as those used by Netflix, being illegal in some countries, and often costing an arm and a leg for their subscriptions, VPNs can also easily log your browsing data and sell them to third-parties to make a buck, or worse, considering that all your browsing traffic flows through them. This is especially true for “free” VPNs. If you don’t believe me, just look up the controversies surrounding “Hola”, a free VPN I used to use myself:

Now comes browser compartmentalisation. Apart from being a tongue twister, browser compartmentalisation is the increasingly mainstream technique where a user uses multiple unique web browsers, each dedicated to a different type of internet activity. For example, you could have one browser dedicated to sites you need to log in to, such as social media, banking, and shopping sites. You will never use this browser to browse the web. You could then have a second browser dedicated for all your searches and random browsing. You will never log in to sites from this browser.

Browser compartmentalisation in action.

Since unique browsers don’t communicate with one another, when a large tech company which feeds off ad revenue places a tracker on one of your browsers, it won’t be passed off to your other ones. The benefit of this technique is that it makes it difficult for data brokers to link your online browsing, between your different browsers. It can also be helpful to use incognito mode on your second browser to prevent cookies being stored on your system and consuming storage.

Just as *another* disclaimer, by following this method, you won’t gain complete anonymity online; your internet service provider and maybe others will still be able to view your history and are likely to be obligated to comply with law enforcement. So don’t do anything illegal online (or anywhere for that matter), or risk having your data be overturned to the fuzz.


Into the mobile-verse

Mobile devices are computers and should be treated as such. The same advice to keep your software up to date for security patches applies. But with the more, well, mobile characteristics of these devices, there are some specific issues to be aware of.

Keeping our phones secure is only becoming increasingly vital as they are gradually replacing our wallets and keys. So, when out and about, you should keep your device locked. But with all the options to do so, which is the best to use: Password, passphrase, pin, biometrics?

Firstly, passwords are, essentially, a terrible idea, but we're not just yet ready to fully replace them in our lives. The reality is that passwords are too easy to guess and break. A person with malicious intent only needs your user ID and they can soon gain access to your information. This is only made worse by the fact that you probably use your same couple “ingenious” passwords across all your accounts.

Secondly, although biometric methods of unlocking, like fingerprint scanners and facial recognition, are more secure than passwords, a passcode is still needed to “enter the gates” so it should be a good one. Instead of trying to remember a cryptographic key as a password, consider using a passphrase which is made up of an arrangement of words and numbers which make sense to you, but no one else. Perhaps something memorable and hard to guess like “th1spassphrase!s2l0ng” (Don’t actually use this one).

If you currently use a pattern to unlock your device, I have some bad news for you. A joint study published by researchers at the US Naval Academy and the University of Maryland Baltimore County found that pattern unlocking is very insecure since 66% of people can recreate the pattern from six feet away after only seeing it once and 80% can recreate it after seeing it entered twice.

Frequently used unlock patterns.

Social espionage

With the prevalence of sharing on social media, we can inadvertently share information which appears in our passwords and which form the answers to our security questions, such as names of contacts, locations significant to you, and names of pets. When you share information, in whatever medium, you should always be vigilant and consider not only the intended recipient of the information but also the unintended recipients and what they could do to you with this knowledge if they have malicious intentions.

Social engineering is the act of tricking someone into divulging information or taking action, usually through technology. Social engineers focus on taking advantage of those at their weakest moments by analysing their behaviours and reactions to then trick them into unintentionally divulging their credentials.

One common form of a social engineering attack is known as spear phishing. (Not the activity for hunting food you may be thinking of). Spear phishing is the act of pretending to mimic a legitimate institution, through seemingly unsuspicious emails, letters, or websites, and asking the recipient to “help fix an issue” with their account. It hopes to collect user credentials without them realising they’ve entered it into a fake site because they were in such a panic to correct the mistake in their account.

Remember that, if suspicious, you should try to go directly to the service to log in or find your contact information and, in fact, most genuine communications will encourage you to do just that by deliberately not including links for you to click on.

If you must click on a link provided, always ensure that the institution's name is spelt correctly in the URL. So don’t access something like “www.paypel.com” or “www.netfliix.com” Also, try to only access sites beginning with “https://” as opposed to just “http://” (This applies to all browsing). The added 's' stands for “secure” and essentially establishes an encrypted connection between the web server you’re accessing and your browser. You can try changing the URL manually or use an extension like “HTTPS Everywhere” by the Electronic Frontier Foundation to do so automatically when the option is available.

HTTPS Everywhere hard at work

Linked-In to the world

This wouldn't be a true article targeting students and yuppies, written during COVID without mentioning glorious LinkedIn. We all aim to achieve that infamous 500+ connections label but often don't realise the hazards associated with adding just anyone to our networks. The case against having a goal of achieving the infamous LinkedIn 500+ connections status is based on the same vulnerabilities people create when they share too much online, except now those you don’t truly know can gain access to you. I would caution this tale for personal accounts on any social media platform.

Connections on LinkedIn should be viewed differently to contacts on other platforms; they are two-way and should benefit both parties involved. You’re better off focusing on building meaningful connections who are willing to share insights with you and who you are willing to actually connect with IRL.

If you’re about to do some LinkedIn stalking in preparation for an interview or just to stalk (we’ve all done it, don’t worry) and you don't want others to know you've seen their profiles, simply switch to “Private mode” under Profile viewing options in your LinkedIn settings before you stalk and switch back once you’re done to continue to see who’s been stalking your profile. The logic is similar to how the “Active Status” option works in Messenger. In LinkedIn settings, you can also hide your profile photo and limit your last name to its first initial for anyone who isn’t a connection.

How to enter 'Private mode'
How to present the first initial of your last name.

Before you go

Just a few final things while I still have your attention:

Firstly, if you’re pedantic about using Google as a search engine, I would say that Google doesn’t need you to use its search engine to gather data on you, neither does Facebook need you to use their platform for the same benefit. But, then again, to each their own. So feel free to continue DuckDuckGo if it gives you a sense of privacy. I suggest what’s more important is that you review your account settings on Google, and all your other accounts and devices, and disable any nasty options you come across. It’s likely some are enabled by default. As with most services, you want to disable personalised advertisements, automatic gathering of telemetry data, and constrain access to your location if you don’t use GPS on your laptop, just to name a few.

Google Account settings
Privacy settings in Windows 10 Settings app

Next, consider using your phone as a security key by enabling two-factor authentication. Many major platforms already allow for this in their security settings; just take a look. With 2FA, when logging into an account, alongside providing something you know, e.g. a password, you will also need to use something you have, like a one time code sent to your phone. If you’re concerned about not having your phone to log in with, might I ask, “When have you ever not had your phone with you?” On the off chance you need it, you’re supplied with backup codes you can keep somewhere safe. 2FA apps like Google Authenticator don’t even require connectivity to work due to a nifty algorithm called HOTP (which is a fascinating read).

Google’s 2-Step Verification options

Lastly, remember the golden rule when handling sensitive information: Treat your confidential information how you would want it to be treated by others. Otherwise, you form the weak link in the effort to keep your data secure.

I haven’t gone through everything you can do to protect yourself when using technology, that might as well be impossible to do, for both you and I, but hopefully with these practices in mind you can be more at ease, or at least aware, whenever you use some tech.

Stay cyber woke.


References

  1. https://www.fastcompany.com/90311396/incognito-mode-wont-keep-you-private-try-browser-compartmentalization#:~:text=Browser%20compartmentalization%20is%20a%20privacy%20technique%20that%20is%20finally%20gaining%20mainstream%20attention.&text=However%2C%20instead%20of%20switching%20between,another%20type%20of%20internet%20activity.
  2. https://vpnoverview.com/vpn-information/disadvantages-vpn/
  3. https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_algorithm
  4. https://www.nextgov.com/cybersecurity/2019/01/why-computer-passwords-are-still-problem-2019/154086/
  5. https://www.komando.com/privacy/whats-the-most-secure-way-to-lock-your-smartphone-the-answer-will-surprise-you/426844/
  6. https://us.norton.com/internetsecurity-emerging-threats-what-is-social-engineering.html#:~:text=Social%20engineering%20is%20the%20act,natural%20tendencies%20and%20emotional%20reactions.
  7. https://www.globalsign.com/en/blog/the-difference-between-http-and-https
  8. https://www.forbes.com/sites/dailymuse/2015/01/12/having-500-linkedin-contacts-means-nothing-unless/#17fd1b945774
  9. https://images.app.goo.gl/3LhV4aqw25g3SJEp6
  10. https://images.app.goo.gl/JPaCFBGsPypNFJbv8
  11. https://images.app.goo.gl/K6AHfFWMxiBBmJGJ7