Saturday, 15 August 2015

Security Dos

The last couple of weeks have seen an unprecedented amount of computer vulnerabilities surface up into public knowledge. All Mac users, we have been told, are exposed to a certain online vulnerability that they simply cannot escape and chances are Apple will not fix in the foreseeable future. Android users have been hit with one unavoidable security vulnerability after the other, all of which quite severe, with hardly a hope of rectifying the situation - the direct result of an eco system featuring thousands of different devices distributed through numerous telcos that couldn't care less about the security of their end user.
What can a simpleton user do in the face of such overwhelming odds?
The results pretty much speak for themselves. Most users do not do enough. Most users actually have no idea what they can do. For most users, having an up to date antivirus software that gives them a green tick of approval is all that is required in order to consider their PC environment safe.
Well, it isn't enough.
The fact of the matter is, if one wants to stay on top of the latest computer security hazards, one has to spend a lot of time keeping oneself informed with the latest news as well as on keeping one's computing armada (all PCs, smartphones, tablets and gaming consoles for a start, not to mention the latest in the Internet of Things) up to scratch. And even that does not guarantee anything come the next vulnerability, or come a vulnerability that the world is simply unaware of.


As depressing as the above may sound, this does not mean that one needs to turn the other chick. Leave that to Jesus; you can still put up a fight. There are actually several simple things you can do, things that will help reduce your personal risk significantly - to the point of being able to consider oneself almost (but never) in the clear.
Here are the three top measures you can take in order to keep on top of your online security, as recommended by yours truly:

1. Keep your devices and applications patched up with the latest version of everything:
Make sure you install the latest updates to your PC/smartphone/etc operating system as soon as these updates are released and up to the latest patch available. Do the same to the applications you use, particularly those that use the Internet: your web browsers are the classic example.
Note Microsoft releases most of its security updates on what it calls Patch Tuesday, the second Tuesday of the month; make sure you run your Windows Updates shortly after. Adobe has, by now, synchronised itself to Microsoft time, publishing its releases at the same time. Apple has a less regular release schedule but it will let you know when its gadgets are ready for an update. Ubuntu stands clear of the field, regularly checking for all relevant updates and handling all relevant updates at the same time seamlessly in the background while requiring not much more than a mouse click.
Android stands out as the black sheep of the family, as already mentioned. If you do go with Android, I would recommend buying a model that guarantees being able to receive regular updates - say, Google's own Nexus models. Beware of buying your Android gadget through a telco, because that telco will hold you back from updating your device later on.
What good is keeping your device up to date this way? After all, especially with Apple, keeping it up to date will also mean sacrificing battery power and speed?
The answer is simple. With each patch that's being released, the latest round of security hazards and vulnerabilities is taken care of. At the same time, due to them being taken care of, they also become public knowledge. Thus, at the same time that a solution is being offered to the public, the various rogue elements of the electronic world are offered a raw list of vulnerabilities they can try and exploit through the large ranks of everybody out there that fails to keep themselves patched. And exploit they will; you can count on it. It's a rule of nature.
You do not have to put yourself in the ranks of the exploited. Patch up. Avoid the non patched like the plague that it is.

2. Use a password manager
I have discussed password managers here before. Password managers offer two key services: they let you easily maintain long and complicated passwords of a grade you will never be able to remember on your own, and they let each and every such password be unique.
In turn, this helps you in two ways. Nowadays, when passwords get lost, that usually happens in the form of a massive database leak at the company holding on to your password. Usually, if those companies are up to their game, the passwords will be hashed - meaning, it will take some effort of behalf of the hacker to actually know what your password is. If you use a strong password created by a password manager, as opposed to a simple dictionary word (like "password"), there's a good chance that hacker would never be able to put their hands on your actual password. It's a maths game; the hacker's "guess the password" utility can only guess so many options during the hacker's lifetime. A good, password manager generated password, will take them a few billion years to guess using today's hardware. We can live with that.
Occasionally the hackers will get your password, though. Too many companies like Sony and Adobe exist out there, keeping your passwords as plain text. This is when having unique passwords helps. In most of the latest rounds of online identity thefts, the reason the hackers were able to get into people's accounts was to do with the fact those people used the same password on multiple websites/devices. That will never happen if you use a password manager!
I have recommended 1Password here before. It's actually free for iOS devices, but it will cost you on a Mac or Windows. LastPass has recently reduced its prices, now offering free services; you pay to get your passwords synchronised across devices.
Do have a look into such a product, it would be one of the best things you'd ever do for the sake of your online security. Sure, password managers do not negate all risks; they actually introduce new ones. But the fact of the matter is, you are much safer in the hands of the security experts from AgileBits (makers of 1Password) than in your own humble hands alone. You should exploit their expertise to your own benefit!

3. Disable
This last measure is simple. If you don't need something running on your computer or your gadget, disable it. Better yet, remove it.
You're asking for examples. I'll give you two.
Adobe Flash is something you should be able to live without nowadays. Lately it also happens to be our major source of security hazards, with even Yahoo ads injecting malicious codes into web pages of the most popular of websites. YouTube is where most of us needed Flash before, but nowadays YouTube and most video streaming websites have moved on to HTML 5, clearing the path for you to get rid of this up to no good hazard. And if you really think you still need Flash, do yourself a favour: disable it. Modern browsers like Firefox and Chrome will give you the option to prevent Flash contents from running without your specific, direct, approval. Use that option!
My second example is Java. Ever since Oracle took over Java from the setting Sun, it failed to deal with security properly. As it happens, you're in luck: hardly anything out of the corporate world uses Java anymore (a lot of stuff uses JaveScript, but that's a different animal), so the chances of Java's removal having an effect on you are minimal. Indeed, most modern browsers no longer have Java, by default, and even Apple got rid of it a couple of years back. As far as I can tell, the main implication of removing Java on a home user nowadays is Minecraft - which is why I got my Minecraft on a console rather than a PC.

No comments: