The Internet Connects You to Good and Bad People
The Internet must rank as one of mankind’s most amazing achievements. In a few short years we have become highly dependent on the ability to access information, communicate quickly, cheaply and easily with virtually anyone in the world, all in near real time.
The Internet has truly revolutionised our world!
Probably the biggest single benefit is that all of the accumulated knowledge of mankind is now available to almost anyone, at any time. Just take a moment to let that point sink in, because that is truly an enormous benefit, which we all probably take for granted to some extent.
But as with everything, along with the good, comes a fair amount of bad.
While we are exposed to the accumulated knowledge of mankind, we are also exposed to the accumulated, stupidity and malignancy of all of mankind—and it’s not always easy to sort the wheat from the chaff. In fact, in many cases, misinformation is deliberately pedalled in such a way as to deceive us, by people with questionable (or downright bad) agendas.
While the Internet allows us to connect and communicate with our friends, family and business associates, where-ever they may be, it also allows malicious people to connect and communicate with us, whether we like that or not. The Internet directly connects you to every malicious, evil, predatory person in the world.
Before the Internet, there may have only been one or two bad apples in your neighbourhood, whom you had to deal with. Nowadays, you go about your every day activities, directly connected to millions of malicious people.
Underestimating the Risks
The vast majority of people hopelessly underestimate the risks involved, when they venture onto the Internet without taking the necessary precautions.
The core problem is that Internet services are delivered to the ordinary person in a deliberately very easy to use and transparent manner. All the complexity enabling that is hidden. So most people do not really think about, nor bother to understand what is happening behind the scenes as it were. They just consume the end product. Which is quite understandable.
The sheer scale of Internet apps, and the vast number of people that those apps connect together, is not really grasped either.
Before the Internet, if some of your sensitive private information fell into the wrong hands, the amount of damage that could be done was limited. How would that person be able to find ways to use that information? What could they do with it? How would they travel to where they needed to? The horizons and capabilities of criminals were much more limited in those days.
But just as the Internet has made your life easier, as well as enhanced your ability to transact and get things done remotely – well it has done the same for criminals!
Nowadays, if some of your sensitive or private information (such as your banking credentials) leaks onto the Internet. There are hundreds of thousands of criminals out there right now, at this instant, who are eager, able and willing to use your information within seconds. Hackers have built sophisticated web crawlers which automatically scan for vulnerabilities, and which automatically hack into unprotected computers and smart phones to harvest your data, without you even knowing about that (so it’s not some dodgy person, who cares enough about you to be sitting up late at night hacking your computer, it’s a piece of software running 24/7 on a server somewhere, that can hack millions of people simultaneously). There are sophisticated trading markets where your passwords and credentials are sold to the highest bidder, because that information is so valuable.
Before the Internet, if you did something, or said something embarrassing or stupid, perhaps in the heat of the moment (as we all do from time to time). How many people would know? How long before they forgot about it, and what would they do with that information? Well today, there are millions of people, who will eagerly use information like that to destroy the lives of other people they do not even know. To those self righteous spite-filled busy-bodies, it’s almost a form of entertainment to sift through the information available on the Internet, about people just like you, and then form a massive mob to persecute you, because they felt you did something “wrong”, which they feel the whole world needs to know about. One should remember that every bit of data or information about you, that makes its way onto the Internet is potentially stored forever. So there is no limit to the amount of damage some embarrassing snippet of information about you, can cause in your later life, if it falls into the hands of some malicious person who wishes you harm.
Before the Internet, if you received a phone call from a stranger, who told you what your children and wife looked like, where your children went to school, what your home address was, where your wife worked, and other detailed intimate information about your family, you would quite rightly be chilled to the bone – because you would instinctively realise that information could be used by the malicious caller to inflict terrible harm on your family.
But nowadays, people seem to be incredibly eager to share all that same information with the entire world! Why do they seem to assume that criminals and malicious people do not exist in cyberspace? Why assume that among all the millions of people who can access your data, either legally, or illegally, that NONE would wish you any harm, nor are eager to use that information against you?
But this is precisely the inherent assumption that many people seem to make, when they are very blasé about the risks of using the Internet.
But actually it would be wise to just take a few simple precautions, which limit the risks of using all the wonderful services and knowledge made available to us by the Internet.
Don’t Expect Other People to Keep You Safe
While many people might acknowledge the risks inherent in using the Internet, they seem to think that someone else is going to keep them safe, no matter what.
Our core philosophy, on this blog, is that one needs to take responsibility for looking after one’s self. Because that way you become empowered, you become more capable, more able to withstand the trials and difficulties of life, and more able to help others do the same.
In addition, one should realise that many of the services offered over the Internet are not there primarily for your benefit. Those service and products are actually for the profit of the companies involved, who are enticing you in by offering you free, or very cheap services, but which perhaps compromise your security, privacy and safety. This is particularly true where companies use a business model which uses technology to harvest data about you, in order to sell that to advertising companies, who use that information to send you targeted adverts for various products and services you may be interested in. The more they can find out about you (there seems to be no limits to how much intimate data they want about you), the more valuable that data becomes on the open market. This is a very invasive, mode of doing business which shows complete disdain for what used to be good manners and common respect for the boundaries between people. Not only that, but their terms and conditions (which you probably never read, but agreed to nevertheless) effectively state that all your opinions, words, images, videos, together with all the other data they collect about you, belongs to them, and/or that you have limited rights and control over what they do with that data about you, from that point onwards. While it may be convenient getting adverts for products and services that you might be interested in, you should be aware that obviously these companies are NOT going to keep you safe! They do not care about your safety (no matter the flowery prose used by their “Customer Care” departments). Their entire business model is based on the on-going violation of your privacy, to the maximum level that you will tolerate, and that limit will constantly be pushed farther, as far as they possibly feel they can get away with, at any point in time. They also take advantage of the fact that the majority of their customers simply do not understand the extent to which their personal privacy, security and safety is being compromised.
Why would you expect these companies to keep you safe? But many people seem to still make that assumption, for some reason?
The only person that is going to keep you safe on-line, is you!
If you choose to use those products and services, do so by all means. But do so with your eye’s wide open, and after taking the necessary precautions.
The Tension Between Convenience and Security
All security requires one to acknowledge first of all that bad things can, and often do, happen—as well as take responsibility for one’s own safety, to prevent that.
Both of those things can be be quite inconvenient.
And that tension between convenience and security can be an insurmountable dilemma for many people!
Unfortunately many people will choose convenience over security, every single time, no matter what the consequences may be. If you are one of those people, well there is probably not much I can say to convince you otherwise, so I’m not sure what value you may gain from this article.
There are a few circumstances where increasing your security also represents an increase in convenience, at least to some extent (such as using a password manager), but in most cases, taking steps to improve your security, generally represents a decrease in convenience.
Obviously some form of compromise is the answer, accepting some reduction in convenience, with the objective of befitting from increased security.
That level of compromise must obviously be based on your perception of the risks you feel you are exposed to. Which does lead to many situations where the stable door is closed, long after the horse has bolted unfortunately, but that is probably just human nature, which we all are subject to.
Just be aware, that many situations which are potentially prejudicial to your online security, are deliberately made to be incredibly convenient for you, to lure you into situations that benefit those offering those services, but which may compromise your security quite substantially. So using the level of convenience as your yardstick, is not necessarily a good approach in cyberspace.
Many people underestimate just how important their email is to their online security.
But consider this. A very common method of attack is where hackers somehow get access to your email account credentials (your email address, together with the password and other settings used to set up your email account on your phone or laptop), perhaps because either of those devices were stolen and you did not set a password on the device.
They then set up your email account on their machine. They will get all your emails, just like you do. You will not know that is happening. They can do this for some time (as long as they like, or until you change your password). They will receive your bank statements, get to know who your friends are, who your work colleagues are, who you frequently correspond with etc. They will know the processes by which you place orders for goods at work, and everything else you do by email.
When they want to, they can request a password reset, on one of your online accounts. For many on-line accounts, this simply requires the user to click on a secure link sent to them via an automated email. The hackers will receive that email and click on that link, which will enable them to reset your on-line account password (they will do this in the middle of the night while you are asleep). Thus, they will lock you out of your own account, by changing your password, and can do what they like after that. They will also probably have all the information they will need to satisfy any identity checks, from the company concerned. So they can pass themselves off as if they were genuinely you (having your statements etc).
So hopefully you can see how important it is to take very good care of your email credentials. Do not share them with anyone else. Change them the moment you suspect any skullduggery.
Choose a long password, and make sure you set up your email client to connect via SSL or TSL (ask your email service provider to help you set that up on ALL your devices). This ensures that all connections between your devices and your email service provider are encrypted and thus cannot be intercepted.
Also consider using a POP3 type of account which deletes all mail from the central server, after it has been delivered to you, so that any hacker gaining access to the central server, does not gain access to all your correspondence going back for some time. But that means that you need to take responsibility for backing up your own email and keeping that safe.
Malicious Links in Emails
Another completely different, but on-going, and very irritating security issue related to email, is malicious links and attachments included into emails sent to you.
Be very very careful about clicking on ANY link, or attachment, included in an email, even if it is sent to you by someone you know.
It’s actually far better to delete emails that you have the slightest suspicions about. If those emails are genuine, you will probably get some later notification or reminder, or will be sent those emails again. Call the sender to verify that they are genuine, before clicking on any links or attachments.
Be particularly wary of “urgent notifications” which require immediate action, with dire warnings of penalties etc. Be also very wary of “payments”, or “invoices”, or “statements” sent around month-end, from people you do not know. Again, call them first, to verify that it is safe to click on those links or attachments. Other traps are “special time limited offers”, which try rush you into taking a rash action.
You need to stay wide awake.
Delete all emails that you have any suspicions about at all. The amount of havoc and damage that can be done by getting this wrong, even once, is far greater than the issues caused by deleting an email, which might by genuine.
On the Internet, passwords are like your house keys, you need them to gain access to your various on-line accounts and services.
The problem is, that passwords are quite easily guessed, or derived, using various types of password breaking algorithms, as well as using information about you and your family, which is freely available on the Internet.
The strength of a password is basically defined by the number of characters you use. As the number of characters increases, the strength of the password increases exponentially. The maths behind this can get quite complex but all you need to know, is that in modern times, a six character password can be broken in less than two seconds by most algorithms, running on a simple laptop. You need a password of at least ten characters, but preferably more to be safe. This article explains the problem quite well. Basically, the more characters you use, the longer it takes the hacking algorithms to try out all the various possible combinations of characters (modern computers can make millions of guesses per second and that capability is increasing all the time, as computers get more powerful).
But using the same long password everywhere is not a good idea either, because if that becomes compromised, then hackers can, and will, search for all your other on-line accounts, to try that password on them as well. Lists of known passwords, for given user names are freely available and are traded by hackers worldwide. You are probably already on many of those lists.
In addition to that, if you have been sharing information about your private life freely with the rest of the world, then all that information is available to hackers as well. They can run every word, date and name you have ever typed on Facebook, or any other social media which is available to them, through a password cracking algorithm to short circuit the process of trying all the possible characters that might make up your password. These sort of systems have been set up and are available to hackers as kits, which they can download for free. And hackers are enhancing their capabilities all the time.
So essentially what you need is a set of passwords which are completely random, unrelated to you in any way, where each password is only used for one on-line account, and which are are about twelve characters long, or preferably more. One can see that we are running into the tension between convenience and security, mentioned above, by adopting this requirement!
But luckily this issue has been solved! All you need to do is use a password manager. There are various different products and services available, and it is strongly recommended that you adopt one of them. Password managers represent one of the few cases where increasing your on-line security also increases your convenience – because from then on, all you need to remember is one strong password (for example a phrase from your favourite book or movie—which you should not share with anyone – ever), and that one password unlocks a secure storage system, which stores all your other passwords. You do not need to ever remember, or even know what any of those other passwords are, because the password manager system does that for you. You can use very long randomly generated passwords to your heart’s content, with complete ease.
To some extent many people already use a variant of this system by allowing their browser to store their passwords for them. But unfortunately this is not recommended. The reason for this is the same old tension between convenience and security. All browser vendors are worried (quite rightly) that any level of inconvenience perceived by their users, will encourage those users to try a different browser. So their password storage systems all focus on convenience and not proper security. And thus all those systems are compromised to some extent, and are thus easy prey to hackers. If any hacker gains access to your device, your browser’s password storage file is the first thing that hacker will grab, and sadly browser storage systems are all compromised to the point that they cannot be used safely. A proper secure password manager is the only real option you should consider for storing all your passwords.
Find a secure password manager that you are comfortable with and use it!
We recommend KeepassXC, because it is well regarded, runs on most operating systems and is also free. The passwords are stored in a secure file, which you have complete control over (for example you can store that file in your cloud storage service, so that it is automatically available to all your devices). But there are many other options, with different benefits and features, so take some time to explore them all.
Why Encrypting Your Data and Communications is Necessary
In the online world, encryption is equivalent to a barrier (see our article on basic home security). Encryption prevents unauthorised people from gaining access to your information and communications. You use encryption in exactly the same way, and for exactly the same reasons, as the wall around your property, and locks on your doors at home. So that you can control who has access to your family and valuables. The only difference is that there is a practical limit to how many bad people can physically get to your home, there is no such limit on the Internet.
For example, further above in the article, we advised that you should adopt SSL or TSL as the method by which your email client communicates with your email service provider. This means the messages passed between your device’s email client and the email service provider are all encrypted. Why that is important, is because without encryption, your email credentials (password and login details) are sent in the clear, every time your device connects to the email server and can thus be read by anyone. This communication can very easily be intercepted by hackers, who then will be able to hijack your email account as described above.
For example if you use public WiFi, at a hotel or coffee shop to access your email. Coffee shop owners, or hotel managers, perhaps do not worry too much about the security settings on their WiFi routers. Many would probably just switch on the router and hope it works, without probably changing anything. Most WiFi router settings can be accessed on the same IP address (for example 192.168.1.1), and most have the default login credentials of “admin” for both user and password. It is thus a trivial matter for a hacker to access the router and make some changes, which would allow them to start reading all the traffic passing through that router. And thus they gain access to your email credentials, when you access your email using that public WiFi router.
This is just one example of the myriad of ways that the information and data you send across the Internet can be intercepted and used against you. By encrypting everything you send, or store, on the Internet, you can protect that information from being used for purposes which may harm you, by people you probably do not even know.
At this point many people will ask, “so what are they going to do with my data?” The problem is exactly that – you don’t know. They could use it for anything! And again, many people are still not fully grasping the scale of the Internet and how it has enabled the use of data on massive scales, and how that can be employed for good, as well as bad reasons.
And here we run into the tension between convenience and security, yet again. Good security practice denies all access, until proper authentication and authorisation is provided, in each specific case. So the default position is no access. One needs to give a good reason to gain access. By adopting that approach, one does not have to consider every possible reason and case for denying access, but rather just focuses on a single specific reason to grant access, each time access is required.
However, convenience tends to work the other way round, all access is granted, unless one can provide a reason why not. And this is what is implied by the question “what are they going to do with my data?”. The person asking the question is demanding a list of bad things that can happen, and then probably wants to try deny access in those specific cases only. But the problem with that approach is that you don’t know of all the different ways that people can misuse your data, or harm you, and many of those ways have yet to be invented. It is an impossible task to try protect yourself in that manner!
“What are they going to do with my data? I have nothing to hide”, is similar to asking, “why would anyone come onto my property uninvited, to do my family harm, or steal from me?” If you lock your door and gates at home, then you should probably encrypt your data on the internet. The reasons for that are exactly the same.
So by encrypting your communications and data on the Internet, you deny access by default to everyone, unless you specifically grant them access. Which is a far more manageable approach, given the millions of people out there, all of whom have different capabilities, agendas and motivations.
Encryption of Data At-Rest vs In-Transit
Without getting into all the nitty-gritty, there are two different situations where encryption should be used:
- When you store data somewhere on the internet (which is commonly referred to as “the cloud”). This is called “encryption of data at-rest”.
- When you send or receive data from/to a remote source – which is called “encryption in transit”, and is usually enacted via SSL (the Secure Socket Layer, there are newer names and variations for this concept, but lets not get pedantic).
As a broad generalisation, encryption of data in-transit is usually widely practiced and available to ordinary people. For example, when you connect to a website with your browser and a little lock appears next the URL, and/or you notice that the URL uses the “https” prefix (instead of “http”), that means the connection between your browser and the remote website has been encrypted and any data flowing between the two is being encrypted. Think of this as a secure “pipe”, which is temporarily formed between your browser and that website, which all the data is flowing through.
The same SSL protocols can, and should be used, for sending and receiving email, sending and receiving files (SFTP), and connecting directly to remote computers via SSH, and any other situation where your data is flowing across the Internet.
Don’t worry about all the acronyms, just take on board the concept that secure methods of transmitting data across the Internet are available and it is considered best practice to use them. Make sure that you do. So, in any circumstance where your data is flowing across the Internet, ask whether that is happening on the Secure Socket Layer.
Encryption of data at rest is not so widely practiced, but as explained above, if you store any data anywhere on the Internet (for example in a cloud storage service such as Dropbox), then it really should be encrypted as well. Make sure that it is.
However, be aware that just because something is encrypted, with proper strong encryption algorithms (such as AES 256), that does not mean it is necessarily completely safe. To use terms that people are more familiar with, think of encryption as some form of barrier, such as a secure door, with an unbreakable lock. And just like a secure door, you need a key to “unlock” the encryption. Now if a secure door is locked, but you do not control the keys, can you be sure that your valuables are safe?
If everyone has the keys, then obviously, no, your valuables are not safe! If people you do not know, who may not really care about your safety, control the keys, then no, your valuables are not safe. If people who control the keys, do so because they want access to your valuables on terms that suit them and not you, and you have zero or limited control over how that happens, then no, your valuables are not really safe.
In fact to be absolutely sure encryption actually keeps your data and communication safe, you, and you alone need to control the encryption keys. So how do you tell if you do in fact control the encryption keys? That’s easy! In any situation where, if you lose your password, someone else can “reset” your password for you, then you do not control the encryption keys, they do.
And here we run into another conflict between convenience and security. Absolute encryption integrity means that you, and you alone, control the decryption mechanism. But that can be very inconvenient, especially if you do not want the responsibility of keeping your password safe (a password is normally required to access the encryption keys).
This one reason is why many people simply do not bother with on-line security to any great degree. They do not want the responsibility of looking after themselves, they want someone else to do that for them.
Of course one can compromise on this issue, to what ever extent you feel is right for you. Just be aware what that compromise means.
An example of what this all means in practice, is say a cloud storage company, that claims that they encrypt all your data for you. But you do not control the encryption keys, which is convenient because then if you forget your password, then you will not have to worry about losing all your data, because they will be able to “reset” your password for you. So in that case you need to trust them, and take them at their word, that first of all they are actually encrypting your data in a way that actually keeps that data safe from other people (which may, or may not, be true), and then you need to trust that whoever controls the encryption keys, cares about your data, and further trust that they are not going to access, or use your data, for their own benefit (which is precisely what many on-line companies want to do), and that they will take care not to carelessly expose your data by mistake (which happens frequently). So those are all the sorts of compromises you are accepting, in exchange for the convenience of not having to remember your own password! Of course if you used a password manager, well then you would not have to worry about remembering the password – just saying!
There are some very useful encryption products and or services, such as BoxCryptor, which allow you to take control over the encryption of data stored in the cloud, or shared with other people. These tools offer a reasonable compromise between convenience and security. We would suggest that you investigate them and make up your own mind.
Controlling your own encryption has the benefit of allowing one the confidence to store sensitive financial and other important documentation in the cloud, which then will not get lost, if any of your devices are stolen, or your house burns down, or something like that. Storing that information centrally in the cloud, allows you to easily share that with other people, anywhere on the planet, in a secure controlled manner, as necessary. For example, have you thought about how a loved one will gain access to all your on-line accounts, policies and other important documentation if you die suddenly? By securely encrypting that information, storing that in the cloud and then securely sharing access to that encrypted information, you can easily achieve that objective. The same applies to sensitive business information.
General Good Practice
So then finally in summary, here are a few additional general guidelines that will improve your cyber security and privacy:
- Remember that most devices, software or services are shipped/delivered in a default state of maximum convenience, and minimum security and or privacy. Furthermore, the contractual terms you are forced to agree to, if you want to use those products or services, typically absolve the company of virtually all liability, and place that responsibility entirely on your shoulders. So it is completely up to you to take the time and effort to change the default settings, to improve your security and privacy, before using those products or services. The best practice, from an online security point of view, is that unless you specifically need to use some feature, it should be turned off. The same goes for privacy, unless you specifically want to reduce your privacy for a specific application, those settings should also be turned off. Pay particular attention to features such as your device microphone, camera, location (GPS) sensor, etc. Browsers settings are also particularly important. Also be aware that culprit companies tend to bury these settings and make them difficult to find or use. There is plenty of information on the Internet on how to harden devices, applications and operating systems, by choosing more appropriate settings, as well as increase your privacy.
- Where practical, encrypt everything you store or send over the Internet, unless you specifically want that to fall in the public domain.
- Avoid sensitive transactions on public WiFi, or on public computers. Never use any of your passwords on anyone else’s computer.
- Prevent thieves from being able to access your devices, in the event that those get stolen. For example, prevent them from gathering all login passwords, which you may have stored in your browser. Make sure you set proper user access passwords on each device. If your device has a reliable full disc encryption option available (such as most Apple products), then use that as well (this means that they cannot access any files on your machine, unless they provide your user password).
- Use proper, reputable anti virus software.
- Stay away from dodgy websites, which can infect your device with malware.
- Do not leave your devices unattended around strange people.
- Be very careful of using USB memory sticks that have been used by others. If absolutely necessary, scan them for viruses and malware, before using them.
- Be very careful about what programs and apps you download onto your devices.
- Do not use products and services that violate your privacy, or force you to compromise your security. Consider using Duck Duck Go as your search engine and perhaps Firefox as your browser. Research the benefits those two companies offer, with regard to improving your online security and privacy, to make up your own mind about that.
- Be very careful about what you upload to social media. Remember that you have very little control over how that will be interpreted or used. The potential downsides can be virtually limitless.